Ransomware Gangs Use VM to Hide Attacks

Posted by
Jun 25, 2021
Reviewed by
Jan 16, 2024
min. read
Table of Contents

A key issue in cybersecurity is keeping pace with criminal capabilities. New technological advances bring new vulnerabilities. Cybercriminals are not only inventive in the way they target computer systems—they are also highly adaptable to new security measures.

The cybersecurity firm Symantec recently discovered a new tactic that is increasingly being used by ransomware attackers to evade detection while they encrypt files on an infected computer: the use of virtual machines to execute ransomware payloads.

Stealth Mode for Ransomware

An investigation by Symantec of recent attempted ransomware attacks found an unusual variation that had previously been noted in the Ragnar Locker attacks last year. In that case, attackers used an Oracle VirtualBox using a Windows XP virtual machine.

In more recent incidents, Symantec found that attackers installed VirtualBox VM running Windows 7 on infected machines. The VM was delivered using a malicious installer file. The motivation, it seems, was stealth.

“In order to avoid raising suspicions or triggering antivirus software, the ransomware payload will ‘hide’ within a VM while encrypting files on the host computer,” Symantec noted in a blog post about their investigation.

Virtual Vulnerabilities

The use of VM is a clever way to evade cybersecurity measures. Attackers install legitimate VM software that contains ransomware. The VMs run separately from the machines that host them, but they can have access to files and directories on host machines via shared folders.

VM allows attackers to target a host computer without being immediately detected by administrators or security software. By the time an attack has been discovered, ransomware will have already been deployed and host computer files encrypted.

It remains unclear which ransomware gangs have adopted this new VM tactic. But Symantec found some evidence to suggest that attackers were using Conti. This was the ransomware used in an attack on Ireland’s Health Service Executive earlier this year.

Mitigating Ransomware Threats

Symantec suggested that organizations might consider adopting software inventory and restriction tools to control what licensed software installations are permitted. They also advised upgrading to enterprise VM software that restricts the creation of new unauthorized VMs.

Ransomware gangs have found numerous ways to penetrate even the most well-defended computer networks. Following best practices for basic digital hygiene can eliminate common threats, such as email phishing campaigns. More sophisticated attacks require other tools.

SecureData specializes in comprehensive data security solutions that create layers of protection against ransomware and malware. Offline encrypted backups on our award-winning FIPS-validated storage devices make sure you have a clean copy of all critical data unconnected from infected servers.

Remote drive management provides IT administrators unparalleled control over how, when, and by whom your organization’s drives can be accessed. If a drive gets lost or stolen, passwords can be remotely wiped to prevent the leak of critical or regulated data.

One of the most common vectors of attack for ransomware is via infected USB drives. Our SecureGuard port-blocking software allows IT administrators total control over whitelisting and blacklisting USB devices to protect computer networks from infection.


Discover our secure data Solutions

Data Recovery Services

From single external hard drives, SSD’s, mobile devices to enterprise NAS, SAN, and RAID failures, we are ready to help recover from digital disasters, anywhere.

Request Help
Allan Buxton

Allan Buxton is the Senior Data Recovery & Digital Forensics Expert for Secure Data Recovery Services. He has worked in the digital forensics and data recovery industries for more than two decades, establishing himself as a preeminent subject expert. In that time, he has completed over 500 forensic examinations for criminal and civil cases. He is proficient across numerous analysis applications and understands how to recover data from damaged or malfunctioning devices.

© 2024 SecureData Corporation or its affiliates. All rights reserved.