Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/23/2021
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

VMs Help Ransomware Attackers Evade Detection, but It's Uncommon

Some ransomware attackers use virtual machines to bypass security detection, but adoption is slow for the complicated technique.

Security researchers have discovered another ransomware group using virtual machines (VMs) to slip past defensive tools on target devices. While effective in hiding ransomware activity, this tactic is more complex than a traditional ransomware attack and may hamper the attackers' efforts.

The trend emerged last year, when Sophos researchers found Ragnar Locker ransomware was being deployed as a full VM on each targeted device to hide the ransomware from view. A few months later, the Maze ransomware group was spotted using the same technique, albeit with some differences. Ragnar Locker was deployed inside an Oracle VirtualBox Windows XP VM, for example, while the Maze-delivered VM was running Windows 7.

Related Content:

Expecting the Unexpected: Tips for Effectively Mitigating Ransomware Attacks in 2021

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

Now Symantec researchers have found another group using VMs to run ransomware payloads on compromised machines. In this case, the attackers had installed a VirtualBox VM on some infected computers, and the VM they used appeared to be running Windows 7, they report.

While the payload running in the VM was not identified, there are "reasonably strong indicators" that it's Conti: A username and password combination used in the attack had been previously linked to older Conti activity in April. However, on the same computer that the VM was deployed, Symantec also saw Mount Locker ransomware being deployed.

This was strange, they say, as the purpose of running a payload in a VM is to evade detection. It didn't make sense to also deploy it on the host machine. Researchers hypothesize the attacker could be an affiliate with access to both Conti and Mount Locker. They may have tried to run a payload on a VM, and when that didn't work, they chose to run Mount Locker on the host.

The primary goal with this tactic is to evade detection by hiding the attack in a VM so the encryption process flies under the radar. Attackers map file shares on the network from inside the VM and encrypt them, rather than running the ransomware natively on the machine.

While more subtle, this technique is more difficult for the attackers to pull off, notes Dick O'Brien, principal editor for the Symantec Threat Hunter team.

"It's adding another degree of complexity," he says of the use of VMs. "You have to set up the virtual machine so that it has permissions to encrypt files, or access files, on the host computer." 

In this case, the Symantec team suspects the attackers didn't get it exactly right.

Stealth, But Complicated
When Sophos first detected Ragnar Locker using VMs, the researchers expected it to be a growing trend. A virtual machine is legitimate software, so it shouldn't raise any red flags on traditional antivirus tools and let attackers operate unnoticed. But months went by before they spotted Maze using the technique in September 2020.

"The challenges are immense on the criminal side," says Chet Wisniewski, principal research scientist at Sophos, of why he thinks the use of VMs in ransomware attacks is still uncommon. It's a complicated – and slow – way to launch a ransomware attack.

A virtual machine is "a big file – it's something that can be noticed and detected," and it would likely be blocked by existing security mechanisms, he notes. It's not something a business would expect to have downloaded through its firewalls or for IT to permit in its environment.

Further, he adds, most servers attackers are targeting already are virtualized. This means they're running a VM inside a VM, which isn't the most reliable strategy when locking up someone's files. Big-game groups after multimillion-dollar ransoms have a pattern, he says. They break in, stay silent, find the sensitive data they plan to encrypt, and trigger an attack within seven to 10 days. Usually this starts in the evening or on a Friday, so they have more time to encrypt the files.

"If you start doing this from a virtual machine, you're amplifying the amount of time it's going to take – another negative for criminals for this tactic," Wisniewski adds. Because VMs are slower and it's a mapped network drive, it's "significantly slower" than doing the encryption operation natively on the computer itself.

He notes that attackers who use this technique will only do so if it makes sense for a specific victim. Legacy environments are especially vulnerable here. If a group with admin credentials breaks in and notices a business is running legacy antivirus managed locally, they can turn it off. If it's cloud-based and there's no multifactor authentication, they can turn it off there, too.

"Once they break into each victim, they're reacting to what's around them," he says. 

Legacy environments are less likely to have security tools that react to a technique like this one. A reason this tactic is still rare is it will only work in scenarios where it can work around the security tools in place.

How Businesses Can Respond
Organizations aware of this technique are advised to take steps to defend against attackers.

"I think awareness is really key in terms of knowing how they get into your organization and how they get across your network, in terms of obtaining credentials and moving laterally," says O'Brien, who urges businesses to regularly change their credentials and limit users to activity they're meant to be doing. If someone has no reason to create a VM, block them from doing it.

"Be a bit more rigid in terms of the policies you apply," he adds.

In general, it's not a bad idea to block these applications from being used where they shouldn't be used, Wisniewski says. He refers to VirtualBox, which is commonly used in these attacks, as something that should both be blocked from running in your environment or detected when it's installed or downloaded somewhere unusual. 

"That should never happen on a server," he says. It may run on a workstation, but virtualization software wouldn't normally run on a server.

The same ransomware defense advice still applies here, he notes. Where it pivots is in detecting the virtualization process and ensuring servers have security software installed rather than expecting endpoint protection tools will protect them from these kinds of attacks.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37759
PUBLISHED: 2021-07-31
A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2021-37760
PUBLISHED: 2021-07-31
A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2020-26564
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFil...
CVE-2020-26565
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
CVE-2020-26806
PUBLISHED: 2021-07-31
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.