Virtual machines are becoming an increasingly popular avenue cybercriminals are taking to distribute their ransomware payloads onto compromised corporate networks.
Bad actors have been exploiting VMs in recent years as a way of running under the radar, making it more difficult to detect their malware while it encrypts the data they intend to hold for ransom. Security analysts at Sophos’ Managed Threat Response unit last year detailed some campaigns that used VMs to hide their malicious payloads.
More recently, Yelisey Boguslavskiy, a security researcher with cybersecurity firm Advanced Intel, earlier this month found that the high-profile ransomware group REvil is using a Linux encryptor that leverages VMware ESXi VMs and also can work on network-attached storage (NAS) systems. Also this month, security researchers at Symantec, while investigating an attempted ransomware attack, found that the attackers had used a VirtualBox VM – which is legitimate virtual machine software developed by Oracle – to help spread its malicious code.
“Symantec has found evidence that an increasing number of ransomware attackers are using virtual machines (VMs) in order to run their ransomware payloads on compromised computers,” the researchers from the company’s Threat Hunter Team wrote in a blog post. “The motivation behind the tactic is stealth. In order to avoid raising suspicions or triggering antivirus software, the ransomware payload will ‘hide’ within a VM while encrypting files on the host computer.”
A Growing Trend
Sophos researchers last year found that Ragnar Locker ransomware was deployed inside a VirtualBox Windows XP virtual machine to conceal its payload. The bad actors behind the Maze ransomware later used a similar technique that used a full installation of Windows 7 running inside a VirtualBox.
“The Maze threat actors have proven to be adept at adopting the techniques demonstrated to be successful by other ransomware gangs, including the use of extortion as a means to extract payment from victims,” they wrote. “As endpoint protection products improve their abilities to defend against ransomware, attackers are forced to expend greater effort to make an end-run around those protections.”
Symantec analysts were unable to identify the payload in the VM, but they suspected it was the Conti ransomware, which has been responsible for such attacks as the one last month on the Irish healthcare system, where the group demanded $20 million in ransom. At the same time, Symantec noted that Mount Locker ransomware was found on the same computer that the VM was deployed on, though because “the main purpose of running a payload on a VM is to avoid detection, it doesn’t make much sense for the attacker to also deploy the payload on the host computer.”
A possibility is that the attacker is an “affiliate operator” who has access to both Conti and Mount Locker, the researchers said.
An Evolving Field
Attackers leveraging ransomware and other techniques are constantly evolving their methodologies to keep a step ahead of the latest detection and prevention efforts. Cybersecurity vendor McAfee, in its first-quarter threat report this month, noted that bad actors are increasingly turning to ransomware-as-a-service (RaaS) campaigns. They are shifting away from wide-reaching multi-target ransomware attacks that tend to come with low returns and instead are using more targeted RaaS campaigns aimed at fewer but larger organizations and that come with larger ransom demands.
The use of virtual machines is another adaptation to avoid detection. Enterprises continue to adopt VMs to make device management, resource use and data backup easier and more efficient. Leveraging them gives attackers another way to deliver their ransomware payloads.
“Many are now heavily relying on legitimate and dual-use tools in order to stage attacks on targeted networks,” Symantec researchers wrote. “The ransomware payload itself is often the stage of the attack most likely to raise red flags and, by hiding it in a virtual machine, there is an expectation that it may not be discovered. Organizations should exercise increased vigilance in relation to the unauthorized installation of virtual machines on their networks.”
Digital Transformation Increases Attack Surface
As organizations continue to digitize their businesses, they will continue to increasingly move their infrastructures to VMs and hybrid cloud environments to increase their flexibility and drive down costs, Karl Steinkamp, director of PCI product and quality assurance at cybersecurity services provider Coalfire, told eSecurity Planet. REvil upgrading its platform to target Linux ESXi hosts “would enable bad actors to go after Linux systems on multiple clouds in addition to targeting on-premise systems,” Steinkamp said. “It’s an unfortunate but expected outcome given the popularity of cloud offerings.”
Sean Nikkel, senior cyber threat intel analyst at cybersecurity company Digital Shadows, noted that ESXi has been the target of various ransomware groups, including RansomEXX, DarkSide and Babuk Locker, as well as the Maze group.
“Adversaries have been attacking virtual machines for years prior to these incidents,” Nikkel told eSecurity Planet. “If nothing else, it’s a growth in capability for an already active and prolific group, with some interesting features. It’s realistically possible we’ll continue to see other groups mirror these developments or improve their own wares. A virtual machine typically has the same software running as a physical server, and if it’s vulnerable, there’s a good chance someone will exploit it.”
VMware Pushes Back
He added that VMware released updates for the most recent vulnerabilities that were disclosed this spring, but that “adversaries are likely taking advantage of organizations that may be slow to patch.”
Coalfire’s Steinkamp also noted that REvil’s ransomware efforts targeting VMs “may be somewhat blunted because the first command the malware runs is disabled by default on ESXi system. Attackers will need to find another way into ESXi systems if this configuration hasn’t been enabled on the systems. Additionally, access to run commands from the malware is dependent upon gaining administrator permissions.”
Enterprises that maintain strong configuration management and access control will likely do better in these types of ransomware attacks, he said.
Further reading: How Zero Trust Security Can Protect Against Ransomware
Dirk Schrader, global vice president for security research at Netwrix’s New Net Technologies business, told eSecurity Planet that for companies running ESXi environments, they should make sure to check their exposure, validate all accounts that have access to the environment and closely monitor for any changes that are happening.
Shawn Smith, director of infrastructure at cybersecurity vendor nVisium, agreed, noting that companies also will want to keep good backups and have well-tested business continuity and disaster recovery plans in place in case such an attack happens and to keep up with the always-evolving cyberattack methods.
“This attack on the virtual machine infrastructure is a good reminder that new avenues of attack are being created every day, and if an attack doesn’t exist today, it’s still a real possibility tomorrow,” Smith told eSecurity Planet.
