Ragnar Locker Ransomware Uses Virtual Machines for Evasion


Level 68
Content Creator
Malware Hunter
Aug 17, 2014
The Ragnar Locker ransomware has been deploying a full virtual machine to ensure that it can evade detection, Sophos reveals.

The cybercriminals behind Ragnar Locker use various exploits or target Remote Desktop Protocol (RDP) connections to compromise networks, and also steal data from targeted networks prior to deploying the ransomware, to entice victims to pay the ransom.

As part of a recently observed attack, the ransomware was executed inside an Oracle VirtualBox Windows XP virtual machine. For that, the attackers used a Windows Group Policy Object (GPO) task to execute msiexec.exe and fetch and silently install a 122 MB MSI package. [....]
“The Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box. They are deploying a well-known trusted hypervisor to hundreds of endpoints simultaneously, together with a pre-installed and pre-configured virtual disk image guaranteed to run their ransomware. Like a ghost able to interact with the material world, their virtual machine is tailored per endpoint, so it can encrypt the local disks and mapped network drives on the physical machine, from within the virtual plane and out of the detection realm of most endpoint protection products,” Mark Loman, director of engineering at Sophos, said in an emailed comment.


Staff member
Apr 9, 2020
A new ransomware attack method takes defense evasion to a new level—deploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine. The attack payload was a 122 MB installer with a 282 MB virtual image inside—all to conceal a 49 kB ransomware executable.

The adversaries behind Ragnar Locker have been known to steal data from targeted networks prior to launching ransomware, to encourage victims to pay. In April, the actors behind Ragnar Locker attacked the network of Energias de Portugal (EDP) and claimed to have stolen 10 terabytes of sensitive company data, demanding a payment of 1,580 Bitcoin (approximately $11 million US) and threatening to release the data if the ransom was not paid.