Cybercriminals are increasingly seen using virtual machines to infect networks with ransomware, according to a recent report from Symantec. By running the payload inside a virtual environment, an attacker can execute their campaign with higher success rates.
Security researchers at Symantec discovered that ransomware attack operators used VirtualBox, open-source virtual machine software, to run infected Windows 7 instances that would install ransomware on victims’ networks and machines.
According to Symantec, the goal of the ransomware is to hide inside a virtual machine (VM) while encrypting files on the host PC, which avoids triggering anti-virus software:
“The motivation behind the tactic is stealth. In order to avoid raising suspicions or triggering antivirus software, the ransomware payload will “hide” within a VM while encrypting files on the host computer.”
While a virtual machine is standalone, it can still access shared files and directories on the host machine. This means that cybercriminals can easily exploit this to encrypt files on the computer itself and exfiltrate sensitive information.
When analyzing one such campaign, researchers were not able to identify the ransomware family that was launched in a virtual machine. But the specifics of how the malware operated strongly suggested it was Conti ransomware gang, that was involved in some high-profile campaigns, like the attack against the Ireland’s HSE health service.
Researchers also discovered evidence of an attacker attempting to launch Mount Locker ransomware attack on the host computer. Researchers speculate that the attackers first tried to run Conti on a virtual machine, but failed. They then switched to using Mount Locker.
Researchers warn, even though this method is not new, it is used more and more often, which soon might make it harder to detect ransomware attacks. This is because, once a tactic has proven successful, other hacker groups will be quick to adopt it:
“Groups will often mimic others’ tactics if they think they’ve been successful. There may be a belief that some security solutions cannot reliably and consistently detect the ransomware sample executing from inside a virtual machine (VM),” said Dick O’Brien, principal in the Symantec Threat Hunter Team.
One way to prevent this is by making sure that only legitimate software is installed on the machines and that only trusted software is used.
“Use software inventory and restriction tools that enable them to control what licensed software may be installed. In addition, organizations already using VM software can use enterprise versions of the software that restrict creation of new unauthorized VMs,” said O’Brien.