Jump to content
  • New Ransomware Uses Virtual Machine to Launch Attacks

    aum

    • 461 views
    • 2 minutes
     Share


    • 461 views
    • 2 minutes

    New Ransomware Uses Virtual Machine to Launch Attacks

     

    Cybercriminals are increasingly using virtual machines to launch very ingenious ransomware cyberattacks

     

    Cybercriminals are running more and more malicious payloads via Virtual Machines, according to Symantec Threat Hunter Team.

     

    Help Net Security investigated an attempted ransomware attack that was executed via a VirtualBox Virtual Machine created on some compromised computers. Unlike the documented RagnarLocker attacks using Virtual Machines with Windows XP, the new threat seems to be running Windows 7.

     

    Moreover, according to Dick O'Brien of the Symantec Threat Hunter Team, the VM was deployed via a malicious executable that was pre-installed during the reconnaissance and lateral movement phases of operations.

     

    So far, the researchers were unable to determine whether the payload in the VM was Mount Locker or Conti ransomware. The later was detected on the endpoint and needs a username and password combination, both specific to previous Conti activity.

     

    It is assumed that the malware resided on the VM's hard drive and can be automatically launched once the operating system is fully booted. The installer executable checked if the host was an Active Directory controller, whereas in other cases it employed a Russian keyboard layout to identify and terminate the operation if it did.

     

    Symantec Threat Hunter team explained “One possible explanation is that the attacker is an affiliate operator with access to both Conti and Mount Locker. They may have attempted to run a payload (either Conti or Mount Locker) on a virtual machine and, when that didn’t work, opted to run Mount Locker on the host computer instead”.

     

    Preventing unauthorized Virtual Machines 


    You should know that most attackers and ransomware operators like to use legal, off-purpose tools to enhance their activities while remaining undetected for as long as possible.

     

    Organizations can prevent unauthorized VMs from being deployed by using software inventory and apply restrictions to licensed software so that they can be checked before rolling out. Another way to secure the virtual environment would be to implement security technologies specialized in this niche or opt for enterprise versions that prevent the creation of new unauthorized VM sessions altogether.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...