Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

End of Bibblio RCM includes -->
06:10 PM
Connect Directly

VMs Help Ransomware Attackers Evade Detection, but It's Uncommon

Some ransomware attackers use virtual machines to bypass security detection, but adoption is slow for the complicated technique.

Security researchers have discovered another ransomware group using virtual machines (VMs) to slip past defensive tools on target devices. While effective in hiding ransomware activity, this tactic is more complex than a traditional ransomware attack and may hamper the attackers' efforts.

The trend emerged last year, when Sophos researchers found Ragnar Locker ransomware was being deployed as a full VM on each targeted device to hide the ransomware from view. A few months later, the Maze ransomware group was spotted using the same technique, albeit with some differences. Ragnar Locker was deployed inside an Oracle VirtualBox Windows XP VM, for example, while the Maze-delivered VM was running Windows 7.

Related Content:

Expecting the Unexpected: Tips for Effectively Mitigating Ransomware Attacks in 2021

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

Now Symantec researchers have found another group using VMs to run ransomware payloads on compromised machines. In this case, the attackers had installed a VirtualBox VM on some infected computers, and the VM they used appeared to be running Windows 7, they report.

While the payload running in the VM was not identified, there are "reasonably strong indicators" that it's Conti: A username and password combination used in the attack had been previously linked to older Conti activity in April. However, on the same computer that the VM was deployed, Symantec also saw Mount Locker ransomware being deployed.

This was strange, they say, as the purpose of running a payload in a VM is to evade detection. It didn't make sense to also deploy it on the host machine. Researchers hypothesize the attacker could be an affiliate with access to both Conti and Mount Locker. They may have tried to run a payload on a VM, and when that didn't work, they chose to run Mount Locker on the host.

The primary goal with this tactic is to evade detection by hiding the attack in a VM so the encryption process flies under the radar. Attackers map file shares on the network from inside the VM and encrypt them, rather than running the ransomware natively on the machine.

While more subtle, this technique is more difficult for the attackers to pull off, notes Dick O'Brien, principal editor for the Symantec Threat Hunter team.

"It's adding another degree of complexity," he says of the use of VMs. "You have to set up the virtual machine so that it has permissions to encrypt files, or access files, on the host computer." 

In this case, the Symantec team suspects the attackers didn't get it exactly right.

Stealth, But Complicated
When Sophos first detected Ragnar Locker using VMs, the researchers expected it to be a growing trend. A virtual machine is legitimate software, so it shouldn't raise any red flags on traditional antivirus tools and let attackers operate unnoticed. But months went by before they spotted Maze using the technique in September 2020.

"The challenges are immense on the criminal side," says Chet Wisniewski, principal research scientist at Sophos, of why he thinks the use of VMs in ransomware attacks is still uncommon. It's a complicated – and slow – way to launch a ransomware attack.

A virtual machine is "a big file – it's something that can be noticed and detected," and it would likely be blocked by existing security mechanisms, he notes. It's not something a business would expect to have downloaded through its firewalls or for IT to permit in its environment.

Further, he adds, most servers attackers are targeting already are virtualized. This means they're running a VM inside a VM, which isn't the most reliable strategy when locking up someone's files. Big-game groups after multimillion-dollar ransoms have a pattern, he says. They break in, stay silent, find the sensitive data they plan to encrypt, and trigger an attack within seven to 10 days. Usually this starts in the evening or on a Friday, so they have more time to encrypt the files.

"If you start doing this from a virtual machine, you're amplifying the amount of time it's going to take – another negative for criminals for this tactic," Wisniewski adds. Because VMs are slower and it's a mapped network drive, it's "significantly slower" than doing the encryption operation natively on the computer itself.

He notes that attackers who use this technique will only do so if it makes sense for a specific victim. Legacy environments are especially vulnerable here. If a group with admin credentials breaks in and notices a business is running legacy antivirus managed locally, they can turn it off. If it's cloud-based and there's no multifactor authentication, they can turn it off there, too.

"Once they break into each victim, they're reacting to what's around them," he says. 

Legacy environments are less likely to have security tools that react to a technique like this one. A reason this tactic is still rare is it will only work in scenarios where it can work around the security tools in place.

How Businesses Can Respond
Organizations aware of this technique are advised to take steps to defend against attackers.

"I think awareness is really key in terms of knowing how they get into your organization and how they get across your network, in terms of obtaining credentials and moving laterally," says O'Brien, who urges businesses to regularly change their credentials and limit users to activity they're meant to be doing. If someone has no reason to create a VM, block them from doing it.

"Be a bit more rigid in terms of the policies you apply," he adds.

In general, it's not a bad idea to block these applications from being used where they shouldn't be used, Wisniewski says. He refers to VirtualBox, which is commonly used in these attacks, as something that should both be blocked from running in your environment or detected when it's installed or downloaded somewhere unusual. 

"That should never happen on a server," he says. It may run on a workstation, but virtualization software wouldn't normally run on a server.

The same ransomware defense advice still applies here, he notes. Where it pivots is in detecting the virtualization process and ensuring servers have security software installed rather than expecting endpoint protection tools will protect them from these kinds of attacks.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.