{"id":18762,"date":"2021-06-30T17:11:47","date_gmt":"2021-06-30T17:11:47","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=18762"},"modified":"2021-09-07T23:48:15","modified_gmt":"2021-09-07T23:48:15","slug":"ransomware-groups-target-virtual-machines-vms","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/ransomware-groups-target-virtual-machines-vms\/","title":{"rendered":"Ransomware Groups are Targeting VMs"},"content":{"rendered":"

Virtual machines are becoming an increasingly popular avenue cybercriminals are taking to distribute their ransomware<\/a> payloads onto compromised corporate networks.<\/p>\n

Bad actors have been exploiting VMs in recent years as a way of running under the radar, making it more difficult to detect their malware while it encrypts the data they intend to hold for ransom. Security analysts at Sophos\u2019 Managed Threat Response unit last year detailed some campaigns that used VMs to hide their malicious payloads.<\/p>\n

More recently, Yelisey Boguslavskiy, a security researcher with cybersecurity firm Advanced Intel, earlier this month found that the high-profile ransomware group REvil is using a Linux encryptor that leverages VMware ESXi VMs and also can work on network-attached storage (NAS) systems. Also this month, security researchers at Symantec, while investigating an attempted ransomware attack, found that the attackers had used a VirtualBox VM \u2013 which is legitimate virtual machine software developed by Oracle \u2013 to help spread its malicious code.<\/p>\n

\u201cSymantec has found evidence that an increasing number of ransomware attackers are using virtual machines (VMs) in order to run their ransomware payloads on compromised computers,\u201d the researchers from the company\u2019s Threat Hunter Team wrote in a blog post<\/a>. \u201cThe motivation behind the tactic is stealth. In order to avoid raising suspicions or triggering antivirus software<\/a>, the ransomware payload will \u2018hide\u2019 within a VM while encrypting files on the host computer.\u201d<\/p>\n

A Growing Trend<\/h2>\n

Sophos researchers last year found that Ragnar Locker ransomware<\/a> was deployed inside a VirtualBox Windows XP virtual machine to conceal its payload. The bad actors behind the Maze ransomware<\/a> later used a similar technique that used a full installation of Windows 7 running inside a VirtualBox.<\/p>\n

\u201cThe Maze threat actors have proven to be adept at adopting the techniques demonstrated to be successful by other ransomware gangs, including\u00a0the use of extortion<\/a>\u00a0as a means to extract payment from victims,\u201d they wrote. \u201cAs endpoint protection products<\/a> improve their abilities to defend against ransomware, attackers are forced to expend greater effort to make an end-run around those protections.\u201d<\/p>\n

Symantec analysts were unable to identify the payload in the VM, but they suspected it was the Conti ransomware, which has been responsible for such attacks as the one last month on the Irish healthcare system, where the group demanded $20 million in ransom. At the same time, Symantec noted that Mount Locker ransomware was found on the same computer that the VM was deployed on, though because \u201cthe main purpose of running a payload on a VM is to avoid detection, it doesn\u2019t make much sense for the attacker to also deploy the payload on the host computer.\u201d<\/p>\n

A possibility is that the attacker is an \u201caffiliate operator\u201d who has access to both Conti and Mount Locker, the researchers said.<\/p>\n

An Evolving Field<\/h2>\n

Attackers leveraging ransomware and other techniques are constantly evolving their methodologies to keep a step ahead of the latest detection and prevention efforts. Cybersecurity vendor McAfee, in its first-quarter threat report this month, noted that bad actors are increasingly turning to ransomware-as-a-service (RaaS) campaigns<\/a>. They are shifting away from wide-reaching multi-target ransomware attacks that tend to come with low returns and instead are using more targeted RaaS campaigns aimed at fewer but larger organizations and that come with larger ransom demands.<\/p>\n

The use of virtual machines is another adaptation to avoid detection. Enterprises continue to adopt VMs to make device management, resource use and data backup easier and more efficient. Leveraging them gives attackers another way to deliver their ransomware payloads.<\/p>\n

\u201cMany are now heavily relying on legitimate and dual-use tools in order to stage attacks on targeted networks,\u201d Symantec researchers wrote. \u201cThe ransomware payload itself is often the stage of the attack most likely to raise red flags and, by hiding it in a virtual machine, there is an expectation that it may not be discovered. Organizations should exercise increased vigilance in relation to the unauthorized installation of virtual machines on their networks.\u201d<\/p>\n

Digital Transformation Increases Attack Surface<\/h2>\n

As organizations continue to digitize their businesses, they will continue to increasingly move their infrastructures to VMs and hybrid cloud environments to increase their flexibility and drive down costs, Karl Steinkamp, director of PCI product and quality assurance at cybersecurity services provider Coalfire, told eSecurity Planet<\/em>. REvil upgrading its platform to target Linux ESXi hosts \u201cwould enable bad actors to go after Linux systems on multiple clouds in addition to targeting on-premise systems,\u201d Steinkamp said. \u201cIt\u2019s an unfortunate but expected outcome given the popularity of cloud offerings.\u201d<\/p>\n

Sean Nikkel, senior cyber threat intel analyst at cybersecurity company Digital Shadows, noted that ESXi has been the target of various ransomware groups, including RansomEXX, DarkSide and Babuk Locker, as well as the Maze group.<\/p>\n

\u201cAdversaries have been attacking virtual machines for years prior to these incidents,\u201d Nikkel told eSecurity Planet<\/em>. \u201cIf nothing else, it’s a growth in capability for an already active and prolific group, with some interesting features. It’s realistically possible we’ll continue to see other groups mirror these developments or improve their own wares. A virtual machine typically has the same software running as a physical server, and if it’s vulnerable, there’s a good chance someone will exploit it.\u201d<\/p>\n

VMware Pushes Back<\/h2>\n

He added that VMware released updates for the most recent vulnerabilities that were disclosed this spring, but that \u201cadversaries are likely taking advantage of organizations that may be slow to patch.\u201d<\/p>\n

Coalfire\u2019s Steinkamp also noted that REvil\u2019s ransomware efforts targeting VMs \u201cmay be somewhat blunted because the first command\u00a0the malware runs is disabled by default on ESXi system. Attackers will need to find another way into ESXi systems if this configuration hasn\u2019t been enabled on the systems. Additionally, access to run commands from the malware is dependent upon gaining administrator permissions.\u201d<\/p>\n

Enterprises that maintain strong configuration management and access control<\/a> will likely do better in these types of ransomware attacks, he said.<\/p>\n

Further reading<\/strong>: How Zero Trust Security Can Protect Against Ransomware<\/a><\/p>\n

Dirk Schrader, global vice president for security research at Netwrix\u2019s New Net Technologies business, told eSecurity Planet<\/em> that for companies running ESXi environments, they should make sure to check their exposure, validate all accounts that have access to the environment and closely monitor for any changes that are happening.<\/p>\n

Shawn Smith, director of infrastructure at cybersecurity vendor nVisium, agreed, noting that companies also will want to keep good backups and have well-tested business continuity and disaster recovery plans in place in case such an attack happens and to keep up with the always-evolving cyberattack methods.<\/p>\n

\u201cThis attack on the virtual machine infrastructure is a good reminder that new avenues of attack are being created every day, and if an attack doesn’t exist today, it’s still a real possibility tomorrow,\u201d Smith told eSecurity Planet<\/em>.<\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n