A new study warns of a new method of attack by ransomware that runs a virtual machine (such as VirtualBox) on target computers to infect them. The attack may be beyond the scope of the computer’s local antivirus software.
According to the UK-based cyber security company Sophos, the ransomware group known as Ragnar Locker is quite selective in its choice of victims. Ragnar’s targets tend to be businesses rather than individual users.
Nearly 1,850 BTC ransoms demanded in a single attack
Ragnar Locker asks the victims for large amounts of money to release their files. He also threatens to release confidential data if users do not pay the ransom.
New ransomware uses a banking trojan to attack governments and companies. Sophos gave the example of Portugal’s Energias network, which stole 10 TB of confidential data and demanded payment of nearly 1,850 Bitcoin Billionaire / Bitcoin Code / Bitcoin Profit / Immediate Edge / The News Spy / Bitcoin Era / Bitcoin Revolution / Bitcoin Evolution / Bitcoin Trader / Bitcoin Circuit, approximately $11 million (at the time of this publication) to avoid filtering the data.
The modus operandi of ransomware is to exploit vulnerabilities in remote desktop applications on Windows, where they gain administrator access to the computer.
With the necessary permissions granted, attackers configure the virtual machine to interact with the files. They then proceed to boot the virtual machine, running a simplified version of Windows XP called „Micro XP v0.82“.
Hackers threaten to leak the legal secrets of famous artists
Ransomware’s tactics are becoming more „evil and extreme“
Speaking with Cointelegraph, Brett Callow, a threat analyst at the Emsisoft malware lab, provided more details about Ragnar Locker:
„It has recently been observed that operators launch ransomware from a virtual machine to avoid detection by security protocols. Like other ransomware groups, Ragnar Locker steals data and uses the threat of its launch as additional leverage to extort payment. If the company does not pay, the stolen data is posted on the group’s Tor site.
Bittrex is confused by the theft of 24 million STEEM tokens seized from its account
Callow says the tactics implemented by ransomware groups are becoming increasingly „evil and extreme,“ with other ransomware groups now threatening to sell the data to the victim’s competitors or use it to attack their customers and business partners.
Emsisoft’s threat specialist adds the following:
„Companies in this situation do not have good options available to them. Even if the ransom is paid, they simply have a false promise made by a bad faith actor that the stolen data will be deleted and not misused.