Security researchers have discovered another ransomware group using virtual machines (VMs) to slip past defensive tools on target devices. While effective in hiding ransomware activity, this tactic is more complex than a traditional ransomware attack and may hamper the attackers' efforts.
The trend emerged last year, when Sophos researchers found Ragnar Locker ransomware was being deployed as a full VM on each targeted device to hide the ransomware from view. A few months later, the Maze ransomware group was spotted using the same technique, albeit with some differences. Ragnar Locker was deployed inside an Oracle VirtualBox Windows XP VM, for example, while the Maze-delivered VM was running Windows 7.
Now Symantec researchers have found another group using VMs to run ransomware payloads on compromised machines. In this case, the attackers had installed a VirtualBox VM on some infected computers, and the VM they used appeared to be running Windows 7, they report.
While the payload running in the VM was not identified, there are "reasonably strong indicators" that it's Conti: A username and password combination used in the attack had been previously linked to older Conti activity in April. However, on the same computer that the VM was deployed, Symantec also saw Mount Locker ransomware being deployed.
This was strange, they say, as the purpose of running a payload in a VM is to evade detection. It didn't make sense to also deploy it on the host machine. Researchers hypothesize the atta ..
Support the originator by clicking the read the rest link below.
