Is there another sandbox you can recommend?
i do not know how useful this list will be to you as most of these are not open source, at most they offer an upload api
zeltser.com
however, this list is open source malware analysis sandboxes and you can see the latest commits
not confident you will find anything useful but at least you can separate the currently maintained projects versus the archived
Open source projects categorized as Sandbox Malware Analysis
awesomeopensource.com
I just want a safe environment to install and analyse ransomware (but I will analyse it with my own detection system).
build your test environment on a network disconnected (disable the network adapter during testing), this is going to give you what you want - which i am going to assume is to test and develop your detection system
In this case, is a sandbox still required or can I just install the ransomware samples in my virtualbox (Windows 7/10) and restrict internet access with NAT (or maybe I should install Windows as a guest in my host Ubuntu VM). I don't know.. I'm a little confused
this is what most researchers do, they just use a malware analysis sandbox as a quick and easy source of behaviors and other information
do not use any shared folders between the test virtual machines and the host
others say to disable cpu virtualization of the vm, but i could not find the technical reason
To be honest, I'm a little afraid that ransomware can, without a sandboxed environment, escape from the virtual environment.
certainly it is technically possible in some way, but i have never heard of such a case where the ransomware managed to escape a fully and properly configured virtual environment
virtual machine breakouts are possible as VUPEN once showed, but exploiting virtual machines is a tactic that will only be used by sophisticated threat actors and that means those with lots of resources and skilled personnel, think nation state actors
Researchers developed an "advanced exploitation method" which triggered a previously discovered vulnerability in order to escape a Xen virtual machine running on Citrix XenServer and get onto the host machine.
www.securityweek.com
there are cases of ransomware running in a virtual environment and then infecting the host, but that involved the shared folders (which is not windows smb by the way, it is a proprietary host-guest protocol developed by oracle (and vmware has its own for folder\file sharing between host and guest)
In a recent attack, Ragnar Locker ransomware was seen encrypting victim’s files while shielded from security software inside a virtual machine.
nakedsecurity.sophos.com
Tactic hides ransomware payload and lowers the risk of discovery while encryption process is underway.
symantec-enterprise-blogs.security.com
you should be further aware that if you do test malware with the internet enabled, without using a vpn your public ip address could be blacklisted by your isp
ask
@harlan4096 about setting up a malware test environment