Virtual machines are an important tool for threat analysts as they debug and investigate malware. But now there is a documented case of malicious cyber actors exploiting a VM to their advantage in an attempt to hide a Ragnar Locker ransomware attack.
Researchers at Sophos, who uncovered the technique, claim that such trickery is a first for a ransomware attack, and likely any kind of malware campaign. The tactic “lends itself very well to ransomware because it wants to encrypt files, and attackers would want that to be done by a trusted application,” said Mark Loman, director of engineering, threat mitigation, at Sophos, in an interview with SC Media.
In a blog post on the topic, Loman explains that a ransomware attack leveraging a VM environment “takes defense evasion to a new level.” That’s because while the malicious code is able to attack the disks and drives of an infected host, the security software installed on said host cannot reach the malware. “Defenders only have a view of the ph ..
Support the originator by clicking the read the rest link below.
