Ragnarlocker Group Uses Virtual Machines to Trick Security Software

Ragnarlocker is a strain of ransomware associated with and run by an eponymous group of bad actors. The ransomware has been around for just a few months, with the first known attacks using Ragnalocker taking place in December 2019, but it is already coming up with new tricks.

Security experts with Sophos noticed a new attack using Ragnarlocker in May 2020, but this time the approach was very unusual. The bad actors first installed VirtualBox – an open-source virtualization application – on the victim’s system and then deployed the ransomware under the virtual machine (VM). This allows the ransomware to run in an isolated environment, hidden away from security software running on the actual physical system.

Hackers Abuse VMs to Avoid Detection

The new trick Ragnarlocker uses to deploy while avoiding detection is relatively simple, yet clever. The ransomware downloads and installs VirtualBox and configures the VM to allow full access to the physical drives of the infected system, which allows anything running on the VM to affect the physical machine. Next, the ransomware loads a barebones version of Windows XP on the VM, before finally loading the actual payload within the VM. Due to the fact that the ransomware executes within the confines of the virtual machine, any antivirus software installed on the victim’s physical system will not be able to pick up any malicious activity.

Security software views the changes made to encrypted files as originating from the legitimate, safe VirtualBox process and no red flags are raised, allowing the ransomware to work in peace. Researchers with Sophos also noted that this is the first time they have observed a ransomware abusing a virtual machine to infect targets.

Ragnarlocker are a relatively high-profile group, targeting only organizations and businesses instead of home users. The ransoms the group demands are often in the hundreds of thousands of dollars and customizes the payload for each of its victims.