back to article Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems

With antivirus tools increasingly wise to common infection tricks, one group of extortionists has taken the unusual step of stashing their ransomware inside its own virtual machine. According to Vikas Singh, Gabor Szappanos, and Mark Loman at Sophos, criminals have slotted the file-scrambling Ragnar Locker nasty into a virtual …

  1. Stuart Castle Silver badge

    Interesting idea.. Hide your virus from the scanners by running it inside a VM that is being run by a legit process..

    1. ThatOne Silver badge

      Still, installing a 70 MB program plus a 200+MB virtual machine to hide a 50KB virus is slightly overkill IMHO...

      Also, normal users might wonder what the heck is VirtualBox doing on their computer all of a sudden. Hardly a stealthy approach. Which means that, even if the virus itself is hard to detect, the infection is pretty easy to spot, not to mention it might be possible for company administrators to simply block any new/additional installation of any hypervisor on company computers, thus blocking not only this, but any similar future virus.

      1. JRS

        Are you not overrating "normal users" ???

        1. ThatOne Silver badge

          > Are you not overrating "normal users" ???

          You have a point there... :-D

          But then again the "normal" normal users don't have anything worth blackmailing them about (holiday pictures?), so I guess the target of this system would be companies, which would (might (should)) keep a distracted eye on what's going on on their computer park.

          I'm definitely not convinced that smuggling stuff using a carnival float is the optimal method. Somebody might notice it, and wonder what is is doing there, at this time of year.

      2. seven of five

        270 Megabytes is background noise. Across most parts of western Europe, we habe 2-4 Gbytes Memory and 16+ Mbit internet connectivity. Given the attack vector of RDP, corporate users-err, victims, would rather struggle getting virtualbox installed. Or is this a portable app?

    2. Psmo Silver badge

      Many frameworks spawn processes like its going out of fashion; how do you check that they are all legit?

  2. don't you hate it when you lose your account Bronze badge

    Turning the tables

    Using a VM to isolate and study viruses is an old trick. Looks like the young dogs are learning old tricks.

    1. amanfromMars 1 Silver badge

      Re: Turning the tables

      Using a VM to isolate and study viruses is an old trick. Looks like the young dogs are learning old tricks ..... don't you hate it when you lose your account.

      Using a VM to manufacture and manipulate a virus is novel though, don't you hate it when you lose your account.

      That's surely a new trick for young dogs and old lags alike to go rabid over?

      1. DJV Silver badge

        Re: Turning the tables

        What! A post from amanfrommars1 that's actually understandable? Anyone would think the world has gone mad! Oh wait...

        1. amanfromMars 1 Silver badge

          Re: Turning the tables

          They're all understandable, DJV, although not necessarily to everybody. And whenever some matters are dangerous to know and quite rightly intelligently made available for only a few made of sterner sterling stuff able to successfully handle and exploit the info and intel, is the pool of enlightenment relatively small and massively terrifying to those and/or that excluded.

          1. DJV Silver badge

            Re: Turning the tables

            Ah, that's more like it!

            1. seven of five

              Re: Turning the tables

              Actually not, seems clear to me, even on a second read.

              1. Alistair Silver badge
                Windows

                Re: Turning the tables

                I've just been on these fora too long. Oddly, much of what aMfM posts is comprehensible to me. Weird, off the wall, disturbing even, but comprehensible.

                1. amanfromMars 1 Silver badge

                  Re: Just what is needed?

                  I've just been on these fora too long. Oddly, much of what aMfM posts is comprehensible to me. Weird, off the wall, disturbing even, but comprehensible. Alistair

                  A Slick Fit, Alistair, for Stealthy Intelligence Service Providers Enamoured of Exercise with the likes of these thoughts? :-) .......

                  We need some true wild cards, artists, people who never went to university and fought their way out of an appalling hell hole, weirdos from William Gibson novels like that girl hired by Bigend as a brand ‘diviner’ who feels sick at the sight of Tommy Hilfiger or that Chinese-Cuban free runner from a crime family hired by the KGB. If you want to figure out what characters around Putin might do, or how international criminal gangs might exploit holes in our border security, you don’t want more Oxbridge English graduates who chat about Lacan at dinner parties with TV producers and spread fake news about fake news. ..... The Circus with Many Rings is Hiring

                  And the following is sweet and sour heavy rock music to the ears of many nowadays in the Almighty Age of 0days, I'd bet ...

                  We’re particularly interested in deep experts on TV and digital. We also are interested in people who have worked in movies or on advertising campaigns. There are some very interesting possibilities in the intersection of technology and story telling — if you’ve done something weird, this may be the place for you.

                  And no ..... as far as I know, none of the above has been BasicAlly AI Machine generated courtesy of a full-sized GPT-2 model, called 1558M? although one would never ever know whenever it be the case.

                  Would human controllers seek then to present that practical transformation and virtual transubstantiation as a problem for creation of totally unnecessary self-destructive conflicts in which they themselves are neither able nor able to be enabled with others to defend and reign over everything victorious? Would they be so retarded and clueless?

                  Do you fear and despair the honest answer is a resounding and unambiguous Yes? :-)

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Just what is needed is

                    ...squeezin' out a tiny "Y-y-yess" (-:

  3. Jan 0
    Devil

    As usual, it's for Windows, the gift that keeps on giving (to malware writers).

    1. The Man Who Fell To Earth Silver badge
      FAIL

      Virtual Box

      Since the malware runs in a Virtual Box VM, it should be able to run on any host OS that Virtualbox runs on. VirtualBox runs on Windows, Linux, Macintosh, and Solaris.

  4. bombastic bob Silver badge
    Devil

    Use of SMBv1 for XP compat may be at the core

    Since the VM is (apparently) running a version of Windowx XP, I have to wonder whether or not the BLOCKING of SMBv1 would stop it dead in its tracks?

    SMBv1 is known to have serious vulnerabilities due to weak encryption. In every version of windows since Vista it should be possible to turn SMBv1 compatibility OFF [and this includes any Samba servers or NAS drives]. Unless you need to run XP machines on your network with file sharing enabled, it's probably a good idea to do this anyway.

    I would be interested, though, in knowing whether "disable SMBv1" is a possible mitigation for this ransomware.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Use of SMBv1 for XP compat may be at the core

      FWIW the files are shared between host and guest through vboxsf, VirtualBox's shared folder driver. There's no SMB involved TTBOMK. If a network share is mapped to the host, it can be accessed by the guest via vboxsf.

      C.

    2. Joe Montana

      Re: Use of SMBv1 for XP compat may be at the core

      Encryption is not the reason to deprecate SMBv1... SMBv2 doesn't implement encryption either, and it's optional for newer versions of SMBv3.

      The problem is the inherent complexity and age of the protocol, with smbv2/v3 being much cleaner and simpler.

      However they are also not without problems, on windows the protocol is deeply embedded into the os and runs with a high privilege level, the protocol allows a lot more than just file sharing, and there are still weaknesses with the authentication system - especially ntlm.

  5. Anonymous Coward
    Anonymous Coward

    Good idea

    I like this method, I think we could improve it by switching it to a tightly compiled Linux distro.

    A smaller footprint should help make it more difficult to detect running in the background.

    You could build a tiny distro specifically for the VM, including only absolutely the modules necessary to operate, nothing more, nothing less. Heavily reducing the ram and storage footprint, thus less obvious.

    Because we're stimulating hardware in a VM, that should be dead simple. Stick the ability to mount NTFS and FAT32 in there, and we're good to go.

    Although, it may be worth seeing if we can use an existing hypervisor on the system, dumping a new one just for the ransomware seems pointless when one already exists.

    A hidden VM configuration on an existing hypervisor would work a treat, and would probably remain unnoticed while it performs it's task, or longer if we also siphoned some user data for ourselves.

    Ofc, if not available dump our own legit-looking hypervisor instead.

    The advantage is, if it was done so that the virus code and os are linux based, it would be more difficult for your average Windows AV to pickup.

    That said, viruses and ransomware are bad. Don't do it. I'm not endorsing this behaviour in any way. Simply some random ideas.

    1. Negative Charlie

      Re: Good idea

      It's not the craziest way to get Linux on the Desktop.

  6. RobinCM

    Once they've gained administrative access

    So it's game over at that point then.

    1. stiine Silver badge

      Re: Once they've gained administrative access

      No. Not at all. Once they have admin rights, they still have to evade your IDS/IPS/AV and any monitoring systems. That's what they use the VM for. What they can't hide is the memory used by their VM.

  7. Pier Reviewer

    If you don’t care about security, the bad guys care about you

    Internet facing RDP... Jesus. I love it when you find it on jobs. It’s an easy win. It’s insane that people don’t put it behind a VPN (that requires MFA).

    Ofc that alone isn’t a fix for ransomware. There is no single fix, which is why companies keep getting reamed. They’d evidently rather risk paying millions than definitely spend money avoiding the risk, even if it basically guarantees they won’t be badly affected. It’s 100% the board’s fault. They could force a change, but costs reduce their dividends. Better to risk it and make secret payments to the criminals if you get hit rather than reduce your take home pay innit?

    The fix? Nothing new or exciting. Regular, tested off-site backups, maintain a register of installed software and audit it regularly, patch regularly, MFA for all sensitive services and accounts etc.

  8. Nifty

    Don't any of the current anti malware products have a way of detecting that bulk encryption is in progress?

    1. G28

      Sophos

      I’m not sure about other vendors but I know Sophos claim to be able to detect it and roll it back.

  9. Claverhouse Silver badge
    Angel

    Well, even if the local machine's backups are deleted by this process, most companies have little to fear since for important data they no doubt take frequent off-site backups to other dedicated machines, from which quick restoral to one of the clean backups can be fast achieved.

  10. Sanguma Bronze badge
    Pirate

    well, well, well

    three holes in the ground. With water at the bottom and rain coming down.

    I'm thinking that is should be possible to roll this back the way that enterprising developer did with that phone call scammer chappie. Now they've been so kind as to give us some hints as to where their whereabouts are, or at least their hardware assets are, shurly one could track it down and - turnabout is fair play.

    What do people think? Is it possible to infect the ransomware chappies with ransomware?

  11. Julian 8

    Wonder if it would work on an existing vbox installation ?

    Stopping apps from running from %appdata% maybe useful in this respect, though that on its own is a nightmare (being the family IT guy and trying to convince them all not to be admins and then stopping crap apps from installing and running from %appdata% anyway - even MS kills me on this and a non domain does not make this easy to work)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020