HomesecurityRansomware teams use virtual machines to "cover up" their attacks

Ransomware teams use virtual machines to "cover up" their attacks

Cybercriminals are increasingly using virtual machines (virtual machines) to violate ransomware networks. Using virtual machines as part of their attacks, the ransomware groups are able to carry out their activity with extra "subtlety", because the execution of payload in a virtual environment reduces the chances of the activity being perceived, until it is too late and the ransomware has encrypted the files of a target device.

During one recent research for one ransomware attack attempt, its security researchers Symantec found that ransomware "businesses" use the VirtualBox - a legal form of open-source virtual machine software - to run instances of Windows 7, in order to make the installation of ransomware easier.

Read also: Clop ransomware: The gang returns after the arrest of its members

As Symantec pointed out, ransomware payload "Hidden" inside a VM while encrypting files on the device.

Ransomware groups virtual machines
Ransomware groups use virtual machines to "cover up" their attacks

While a virtual machine runs separately on the machine on which it is hosted, it can access the files and directories of the host through shared folders, which cybercriminals can exploit to allow the payload hosted on the virtual machine. to encrypt files on the computer.

While the researchers could not fully identify the ransomware found to work on a virtual machine, the way the malware worked provided powerful indications that behind it is his gang Accounts - a notorious form of ransomware used by cybercriminals in many malicious campaigns with high profile goals, including the ransomware attack that struck the national health service HSE of Ireland.

See also: Hackers combine ransomware and DDoS attacks to target victims

However, she was not the only activity identified. Investigators have found evidence that a malicious agent tried to execute it Mount Locker on the server. Investigators speculate that the attacker tried to run Conti through the virtual machine, but when that did not work, he turned to Mount Locker.

Ransomware groups virtual machines
Ransomware groups use virtual machines to "cover up" their attacks

She it's not the first time observed ransomware groups using virtual machines to develop ransomware, but researchers warn that this could make detecting attacks much more difficult.

Proposal: Ransomware: Most companies get a second attack if they pay a ransom

While cybercriminals could target devices that already have virtual machine environments, in this case they seem to have downloaded the tools that allow them to "run". Dick O'Brien, director of the Symantec Threat Hunter Team, pointed out that one how to deal with it This is to monitor and control which software is installed on machines so that potentially malicious but legitimate tools cannot be downloaded without approval.

Source of information:

Every accomplishment starts with the decision to try.