New Malware Hides Inside Rogue Virtual Machines

Data Center Knowledge, June 2, 2020, with comments from Satya Gupta.

Security experts identify a new worrisome threat vector, but not all of them agree it has legs.

Malware operators are always seeking new ways to infiltrate networks without being noticed. Their latest method of where to conceal their ill-intentioned code is inside virtual machines (VM).

Sophos researchers have found virtual machine ransomware that hides in a “VirtualBox” to avoid detection until it’s time to strike. This ransomware, Ragnar Locker, hides in the old 2009 Oracle Sun xVM VirtualBox. Ragnar Locker follows an increasing practice of other ransomwares, which is encrypting data after it has stolen it, and it removes system backups or “shadow copies.”

This VM ransomware strikes Windows PCs and can invade Windows servers in internal data centers. Data center operators can help prevent this by closely monitoring any data coming from servers to endpoints via file sharing. It only takes one infected endpoint with a network drive connection to bring down the whole system. Ransomware detection solutions don’t usually include shared folders.

Opinions Are Mixed on the Significance of This Threat Vector

Some cybersecurity experts feel this threat isn’t likely to loom too large because it’s has too many detection points and there are easier ways of pulling off the attack using higher privileges. But this method could cause problems down the road as a new developing strategy for attacking VM data centers. Moreover, it’s likely an approach that will be adopted by other ransomware groups.

Also worrisome, this VM ransomware method can hide advanced persistent threats and cryptominers. Authentic VMs protect their contents against attack using security technology that resides in the VM or by running malware checks before launching. But these protective measures won’t apply when the VM is developed by a hacker.

"The initial vulnerability is the real root cause of the problem," Satya Gupta, founder and CTO at Virsec Systems, a cybersecurity vendor, said.

Finally, strong application controls, where unknown executables aren't allowed to run at all, can help protect environments, especially when combined with additional security policies.

"I might let one script in a PowerShell execute, but not another one," Gupta said. "I might have a policy to never install a virtual machine." Then the data center wouldn’t ever get to a point where it had to detect rogue VMs.

Read full New Malware Hides Inside Rogue Virtual Machines article.

Further resources:

Solution Brief: Ransomware Protection

New Malware Makes Air-Gapped Data Center Networks Less Bulletproof

Following in GandCrab Footsteps, Sodinokibi Ransomware Is Storming Organizations

New Technique Lets Hackers Use Vulnerability to Bypass & Disable Any Anti-Virus (AV) Software On Any Device with Any OS - Windows, Mac, Linux

Defending Against The New Reality Of Fileless Malware Attacks