The Newest Kind of Ransomware Attack—and How to Avoid it
By: Tom Banta on August 18, 2020
Every organization needs to be vigilant against a variety of cyberthreats in an age when even a seemingly minor phishing attack could end up bringing an entire company to a standstill. Malware and ransomware attacks can take a variety of forms and force cybersecurity professionals to constantly adapt their defenses to counter the ongoing threat.
How Ransomware Works
One of the most frightening forms of malware facing today’s enterprises, ransomware attacks hold data hostage by first infiltrating a network system and then encrypting files so the owner cannot access them. In most cases, ransomware is all but impossible to crack, often erasing the encrypted files if any attempt is made to access them. Attackers then demand that the victim pays a ransom in order to receive a decryption key to unlock the files. As one might expect, however, there is no guarantee that the attackers will make good on their end of the deal once the funds are transferred.
Ransomware comes in many different forms, and they all operate in slightly different ways. Some of them spread and execute like typical malware while others must be launched manually. From well-established and continually evolving examples like the infamous CryptoLocker to more sophisticated “ransomware-as-a-service” licensed programs like Cerber, organizations must constantly be on guard against the latest developments in ransomware technology and strategies.
Recent Ransomware Attacks
To understand the scope and scale of the risk, look no further than the GPS company Garmin, which was hammered by a ransomware attack that took its services offline for several days. With a trove of customer data being held hostage, Garmin reportedly paid at least some portion of the multimillion-dollar ransom demanded by the attackers.
Garmin was hardly the only enterprise to fall victim to ransomware attacks in 2020. About a month earlier, portions of Honda’s global operations were forced to shut down in response to a ransomware attack.
The Latest Ransomware Strategies
One of the most brazenly innovative malware developments over the last year is a technique pioneered by the group behind the RagnarLocker ransomware. Known for launching manual cyberattacks on well-protected enterprises, the RagnarLocker group uses internet-exposed remote desktop protocol (RDP) endpoints and a set of compromised managed service provider (MSP) tools to gain access to company networks. What sets these attacks apart, however, is what they do after they gain access.
Most ransomware cyberattacks work by uploading malware into a network system and executing it using available resources. For a network with anti-virus software running, however, this is like sending up a signal flare in the dead of night. Good security software recognizes the malware for what it is and immediately takes action to cut off its access before it can begin encrypting drives and files.
Rather than executing their ransomware directly on the targeted computer systems, the RagnarLocker group instead used their access to download and install an outdated version of Oracle VirtualBox, a hypervisor capable of running a limited number of virtual machines (VMs). Once VirtualBox was in place, they configured a VM with full access to all local and shared drives on the system, then booted it up to run a bare-bones version of Windows XP SP3 called MicroXP v0.82.
After the preparation was complete, they loaded and executed the ransomware inside the VM. Since the ransomware was running inside the VM, it completely avoided detection by the enterprise anti-virus software. When the malware began to encrypt files, it did so by sending commands by way of the VirtualBox VM, which appeared to be running legitimate processes within the system.
The advantage of this inventive strategy was that the ransomware had a completely safe environment to operate within. Security software typically does not monitor activity inside virtual machines, making them an ideal place to hide ransomware or cryptomining malware. This technique could prove particularly troublesome for organizations that rely on large number of virtual machines. A VM loaded with ransomware could be set up and left dormant in the system for quite some time before the attackers decide to launch an attack.
New Cybersecurity Strategies for New Threats
Fortunately, most cybersecurity experts don’t expect this strategy to become the new normal for ransomware attacks. For one thing, it’s an overly complex way to launch an attack that creates many opportunities for detection along the way. Setting up a VM takes both time and processing resources, and any organization that lacks the monitoring capacity to detect such activity is probably already vulnerable in many other ways that are much easier to exploit.
While the use of a VM to launch ransomware attacks was certainly creative, the situation exposes a much more serious underlying issue. In order to carry out the attack in the first place, the attackers needed highly privileged access within the system. Stronger application controls that prevent unknown executables from running or policy restrictions that prevent the installation of VMs could easily block this strategy. Microsegmentation that prevents VMs from accessing outside files would also be effective. Zero trust parameters that monitor activity and require ongoing authentication for various actions are another key security measure every enterprise should put in place.
Secure Your Organization with Colocation Services
One of the best steps an organization can take to protect itself from a cyberattack is to migrate its assets into a secure colocation environment that provides a strong foundational infrastructure. Starting with that foundation, they can build out a robust network that utilizes a combination of security-focused MSPs and cutting edge cybersecurity software. vXchnge data centers deliver reliable infrastructure and best-in-class DDoS protection through vX\defend to give our colocation customers the support they need to keep their essential data safe.