Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

End of Bibblio RCM includes -->
06:10 PM
Connect Directly

VMs Help Ransomware Attackers Evade Detection, but It's Uncommon

Some ransomware attackers use virtual machines to bypass security detection, but adoption is slow for the complicated technique.

Security researchers have discovered another ransomware group using virtual machines (VMs) to slip past defensive tools on target devices. While effective in hiding ransomware activity, this tactic is more complex than a traditional ransomware attack and may hamper the attackers' efforts.

The trend emerged last year, when Sophos researchers found Ragnar Locker ransomware was being deployed as a full VM on each targeted device to hide the ransomware from view. A few months later, the Maze ransomware group was spotted using the same technique, albeit with some differences. Ragnar Locker was deployed inside an Oracle VirtualBox Windows XP VM, for example, while the Maze-delivered VM was running Windows 7.

Related Content:

Expecting the Unexpected: Tips for Effectively Mitigating Ransomware Attacks in 2021

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

Now Symantec researchers have found another group using VMs to run ransomware payloads on compromised machines. In this case, the attackers had installed a VirtualBox VM on some infected computers, and the VM they used appeared to be running Windows 7, they report.

While the payload running in the VM was not identified, there are "reasonably strong indicators" that it's Conti: A username and password combination used in the attack had been previously linked to older Conti activity in April. However, on the same computer that the VM was deployed, Symantec also saw Mount Locker ransomware being deployed.

This was strange, they say, as the purpose of running a payload in a VM is to evade detection. It didn't make sense to also deploy it on the host machine. Researchers hypothesize the attacker could be an affiliate with access to both Conti and Mount Locker. They may have tried to run a payload on a VM, and when that didn't work, they chose to run Mount Locker on the host.

The primary goal with this tactic is to evade detection by hiding the attack in a VM so the encryption process flies under the radar. Attackers map file shares on the network from inside the VM and encrypt them, rather than running the ransomware natively on the machine.

While more subtle, this technique is more difficult for the attackers to pull off, notes Dick O'Brien, principal editor for the Symantec Threat Hunter team.

"It's adding another degree of complexity," he says of the use of VMs. "You have to set up the virtual machine so that it has permissions to encrypt files, or access files, on the host computer." 

In this case, the Symantec team suspects the attackers didn't get it exactly right.

Stealth, But Complicated
When Sophos first detected Ragnar Locker using VMs, the researchers expected it to be a growing trend. A virtual machine is legitimate software, so it shouldn't raise any red flags on traditional antivirus tools and let attackers operate unnoticed. But months went by before they spotted Maze using the technique in September 2020.

"The challenges are immense on the criminal side," says Chet Wisniewski, principal research scientist at Sophos, of why he thinks the use of VMs in ransomware attacks is still uncommon. It's a complicated – and slow – way to launch a ransomware attack.

A virtual machine is "a big file – it's something that can be noticed and detected," and it would likely be blocked by existing security mechanisms, he notes. It's not something a business would expect to have downloaded through its firewalls or for IT to permit in its environment.

Further, he adds, most servers attackers are targeting already are virtualized. This means they're running a VM inside a VM, which isn't the most reliable strategy when locking up someone's files. Big-game groups after multimillion-dollar ransoms have a pattern, he says. They break in, stay silent, find the sensitive data they plan to encrypt, and trigger an attack within seven to 10 days. Usually this starts in the evening or on a Friday, so they have more time to encrypt the files.

"If you start doing this from a virtual machine, you're amplifying the amount of time it's going to take – another negative for criminals for this tactic," Wisniewski adds. Because VMs are slower and it's a mapped network drive, it's "significantly slower" than doing the encryption operation natively on the computer itself.

He notes that attackers who use this technique will only do so if it makes sense for a specific victim. Legacy environments are especially vulnerable here. If a group with admin credentials breaks in and notices a business is running legacy antivirus managed locally, they can turn it off. If it's cloud-based and there's no multifactor authentication, they can turn it off there, too.

"Once they break into each victim, they're reacting to what's around them," he says. 

Legacy environments are less likely to have security tools that react to a technique like this one. A reason this tactic is still rare is it will only work in scenarios where it can work around the security tools in place.

How Businesses Can Respond
Organizations aware of this technique are advised to take steps to defend against attackers.

"I think awareness is really key in terms of knowing how they get into your organization and how they get across your network, in terms of obtaining credentials and moving laterally," says O'Brien, who urges businesses to regularly change their credentials and limit users to activity they're meant to be doing. If someone has no reason to create a VM, block them from doing it.

"Be a bit more rigid in terms of the policies you apply," he adds.

In general, it's not a bad idea to block these applications from being used where they shouldn't be used, Wisniewski says. He refers to VirtualBox, which is commonly used in these attacks, as something that should both be blocked from running in your environment or detected when it's installed or downloaded somewhere unusual. 

"That should never happen on a server," he says. It may run on a workstation, but virtualization software wouldn't normally run on a server.

The same ransomware defense advice still applies here, he notes. Where it pivots is in detecting the virtualization process and ensuring servers have security software installed rather than expecting endpoint protection tools will protect them from these kinds of attacks.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file