Cyber criminals are increasingly using virtual machines to compromise networks with ransomware.
By using virtual machines as part of the process, ransomware attackers are able to conduct their activity with additional subtlety, because running the payload within a virtual environment reduces the chances of the activity being discovered – until it’s too late and the ransomware has encrypted files on the host machine.
During a recent investigation into an attempted ransomware attack, cybersecurity researchers at Symantec found the ransomware operations had been using VirtualBox – a legitimate form of open-source virtual machine software – to run instances of Windows 7 to aid the installation of ransomware.
“The motivation behind the tactic is stealth. In order to avoid raising suspicions or triggering antivirus software, the ransomware payload will “hide” within a VM while encrypting files on the host computer,” Symantec said.
While a virtual machine is run separately to the machine it’s hosted on, it can have access to the host machine’s files and directories via shared folders, which cyber criminals can exploit to allow the payload hosted in the virtual machine to encrypt files on the computer itself.
While researchers haven’t been able to fully identify the ransomware discovered running in a virtual machine, clues as to how the malware operated provided strong indications that it was Conti – a notorious form of ransomware used by cyber criminals in a number of high profile campaigns, including the ransomware attack against the Ireland’s HSE health service.
However, this wasn’t the only activity that was detected – researchers found evidence that an attacker had attempted to run Mount Locker ransomware on the host computer. Researchers suggest that the attacker attempted to run Conti via the virtual machine but, when that didn’t work, they switched to using Mount Locker instead.
This isn’t the first time ransomware gangs have been spotted using virtual machines to deploy ransomware, but researchers warn that this could make attacks much more difficult to detect.
“Groups will often mimic others’ tactics if they think they’ve been successful. There may be a belief that some security solutions cannot reliably and consistently detect the ransomware sample executing from inside a virtual machine (VM),” said Dick O’Brien, principal in the Symantec Threat Hunter Team.
While cyber criminals could target devices that already have virtual machine environments, in this case it appears as if they’re actively downloaded the tools that enable them to run. One way of countering this is to monitor and control what software is installed on machines, so potentially malicious, yet legitimate, tools can’t be downloaded without approval.
“Use software inventory and restriction tools that enable them to control what licensed software may be installed. In addition, organizations already using VM software can use enterprise versions of the software that restrict creation of new unauthorized VMs,” said O’Brien.