Connect with us

Hi, what are you looking for?



Ragnar Locker Ransomware Uses Virtual Machines for Evasion

The Ragnar Locker ransomware has been deploying a full virtual machine to ensure that it can evade detection, Sophos reveals.

The Ragnar Locker ransomware has been deploying a full virtual machine to ensure that it can evade detection, Sophos reveals.

The cybercriminals behind Ragnar Locker use various exploits or target Remote Desktop Protocol (RDP) connections to compromise networks, and also steal data from targeted networks prior to deploying the ransomware, to entice victims to pay the ransom.

As part of a recently observed attack, the ransomware was executed inside an Oracle VirtualBox Windows XP virtual machine. For that, the attackers used a Windows Group Policy Object (GPO) task to execute msiexec.exe and fetch and silently install a 122 MB MSI package.

The package contained an old Oracle VirtualBox hypervisor (Sun xVM VirtualBox version 3.0.4 from August 5, 2009), and a virtual disk image file (VDI) – an image of a stripped-down version of Windows XP SP3 – that included a 49 KB Ragnar Locker ransomware executable.

The MSI also deploys an executable, a batch file, and a few support files. The batch script registers and runs VirtualBox application extensions VBoxC.dll and VBoxRT.dll, along with the VirtualBox driver VboxDrv.sys.

Next, the script stops the Windows Shell Hardware Detection service, to disable the AutoPlay notification functionality, and deletes the computer’s volume shadow copies, after which it enumerates all local disks, connected removable drives, and mapped network drives.

The batch file also goes through a list of 50 processes (mainly line-of-business applications, database, remote management and backup applications) and terminates them, to ensure that files associated with them are unlocked and available for encryption.

Advertisement. Scroll to continue reading.

The list of targeted processes is stored in a text file and is accompanied by a list (also stored in a text file) of service names tailored to the victim organization’s network environment. Next, the script starts the virtual machine, with the ransomare running in it as vrun.exe.

The VM runs with 256 MB of RAM, one CPU, a single 299 MB HDD file micro.vdi, and an Intel PRO/1000 network adapter attached to NAT. The ransomware running inside it is “compiled exclusively per victim, as the ransom note it drops contains the victim’s name,” Sophos explains.

The script also mounts the shared drives configured in micro.xml on the host machine, so that the ransomware can access the previously enumerated local disks and mapped network and removable drives, directly from the guest VM.

Running inside the virtual guest machine, the ransomware’s process and behavior are out of reach for security software on the host machine. Basically, the data on disks and drives on the physical machine are attacked by VboxHeadless.exe, the VirtualBox virtualization software, Sophos notes.

“The Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box. They are deploying a well-known trusted hypervisor to hundreds of endpoints simultaneously, together with a pre-installed and pre-configured virtual disk image guaranteed to run their ransomware. Like a ghost able to interact with the material world, their virtual machine is tailored per endpoint, so it can encrypt the local disks and mapped network drives on the physical machine, from within the virtual plane and out of the detection realm of most endpoint protection products,” Mark Loman, director of engineering at Sophos, said in an emailed comment.

Related: Hackers Attempted to Deploy Ransomware in Attacks Targeting Sophos Firewalls

Related: ATM Maker Diebold Nixdorf Hit by Ransomware

Related: Ransomware Forces Shutdown of Texas Judiciary Network

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...