???????????????????????? ???????????????????? ?????????????? ???????????? ???????????????????? ???? ?????????? ????????????????

The RagnarLocker group is known for their earlier attacks as they do target very carefully, avoid home users and goes after corporate networks and government organizations only. But this time, the strategy they have adopted is up-to the mark to dodge the security barriers.

This latest technique has been spotted and detailed by well-known Cyber-Security firm Sophos. They have shown the great lengths and creativity that a ransomware hides itself while attacking a victim.

Recent Attacks by RagnarLocker

In past, the group has adopted various attack vectors i.e. abusing an insecure RDP endpoints, and various other vectors such as, spam email with malicious attachments, exploits, malicious ads, infected installers, etc. Now for the very first time, hackers’ group has been noticed to the extreme of deploying their malware inside a virtual machine. Technique used to dodge the corporate security systems.

• In April 2020, the hackers behind RagnarLocker targeted the network of the Portuguese multinational energy giant Energias de Portugal (EDP) and declared to have stolen 10 TB of sensitive company data, demanded payment of 1,580 BTC and threatened to release the data if the ransom was not paid.
• In February 2020, RagnarLocker group specifically targeted remote management software (RMM) commonly used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software to prevent their attack from being detected and stopped.

The gang behind RagnarLocker go to such lengths because they target the high-value data of specific organizations and demand ransoms that run into the millions of dollars, stated by UK cyber-security firm Sophos.

Execution Strategy of RagnarLocker

In May 2020, the attackers of the RagnarLocker ransomware were caught running Oracle VirtualBox to hide their presence while attacking a victim inside a Windows XP virtual machine. It is only 49 kB in size, but it runs inside a 280 MB Windows XP virtual machine.

The ransomware downloads and installs Oracle VirtualBox by itself, then configures it to give full access to all local and shared drives, allowing the virtual machine to interact with files stored outside its own storage. The VirtualBox application will replace files on the local system and shared drives with their encrypted versions. These file modifications can’t be detected as the ransomware's malicious process by an antivirus software.

As you know, virtual machines are often used to execute malware in a sandboxed environment, but in this case the attackers reverse the situation, protecting their ransomware from malware scanners.

Basically, the technique is very simple and clever when you think of it. Instead of executing the ransomware directly on the computer which they want to encrypt, the RagnarLocker gang downloads and installs Oracle VirtualBox, a type of software that lets you run virtual machines.

In the last couple of months, we've seen ransomware evolve in several ways. But the RagnarLocker taken ransomware to a new level and thinking outside of the box.

Tips

Your organizations should implement below solutions to mitigate the attacks from such kind of ransomwares:

• Top ranking Anti-malware with Behavior Monitoring & Machine Learning features.
• Highly recommended Firewall solution for better protection at Gateway level.
• Last but not least, Backup solution that will make backup automatically of organization’s data after every couple of hours, days, weeks or months.