Ragnar Locker gang is thinking outside the box, to get inside the box! You’d think of the same if learned about how this ransomware group levelled up to steal the data from the computer. Ragnar Locker has updated with a new, and simple trick to his from antivirus softwares in the system and steal sensitive information. This is through installing and running its ransomware malware inside a Virtual Box!

The New Method

Ragnar Locker Ransomware Uses Oracle VirtualBox to Steal Data Stealthily
Ragnar Locker Ransomware Uses Oracle VirtualBox to Steal Data Stealthily

Ragnar Locker ransomware group has a previous track record of targeting entities, rather than Individuals. This gang has recently hit Energias de Portugal (EDP), and stole 10TB worth data for a ransom price of 1,580 Bitcoin! Ragnar Locker ransomware carefully selects its targets, mostly corporates and governments, and crafts customized malware accordingly. This is to scrape the lumpsum payments in hundreds of thousands of dollars rather than petty tips from home users.

And this ransomware has evolved with a new trick to hide better. This is by using Oracle’s old VirtualBox software! As a cybersecurity firm, Sophos revealed, Ragnar Locker group was found to be shifting its focus to Virtual Boxes, away from Windows RDP, Managed Service Provider, PowerShell, etc as in past attacks.

Installed VirtualBox in Program Files of C: disk.
Installed VirtualBox in Program Files of C: disk.

How Does It Do?

It all starts with picking a target computer and installing the Microsoft Installer via Windows Group Policy Objectives (GPOs). This lets the group to bypass security parameters, and to procure and install an unsigned MSI package from a remote web server.

This package has the old Oracle VirtualBox hypervisor and a virtual disk image file of Windows XP SP3 OS. This is a stripped-down version of it and called MicroXP v0.82. This image also contains a 49 kB worth Ragnar Locker ransomware executable!

This was installed inside the Oracle VirtualBox to avoid detection, as antivirus reads the actions performed within Virtual Box are from legitimate Oracle software, thus deemed to be safe. This software has access to all the local and shared disks, giving the hacker access to all of them to exfiltrate. Researchers say this is the first time a ransomware group found exploiting Virtual Box for its operations.

Source: Sophos


Please enter your comment!
Please enter your name here