Cybercriminals are increasingly using virtual machines (virtual machines) to violate ransomware networks. Using virtual machines as part of their attacks, the ransomware groups are able to carry out their activity with extra "subtlety", because the execution of payload in a virtual environment reduces the chances of the activity being perceived, until it is too late and the ransomware has encrypted the files of a target device.
During one recent research for one ransomware attack attempt, its security researchers Symantec found that ransomware "businesses" use the VirtualBox - a legal form of open-source virtual machine software - to run instances of Windows 7, in order to make the installation of ransomware easier.
As Symantec pointed out, ransomware payload "Hidden" inside a VM while encrypting files on the device.
While a virtual machine runs separately on the machine on which it is hosted, it can access the files and directories of the host through shared folders, which cybercriminals can exploit to allow the payload hosted on the virtual machine. to encrypt files on the computer.
While the researchers could not fully identify the ransomware found to work on a virtual machine, the way the malware worked provided powerful indications that behind it is his gang Accounts - a notorious form of ransomware used by cybercriminals in many malicious campaigns with high profile goals, including the ransomware attack that struck the national health service HSE of Ireland.
However, she was not the only activity identified. Investigators have found evidence that a malicious agent tried to execute it Mount Locker on the server. Investigators speculate that the attacker tried to run Conti through the virtual machine, but when that did not work, he turned to Mount Locker.
She it's not the first time observed ransomware groups using virtual machines to develop ransomware, but researchers warn that this could make detecting attacks much more difficult.
While cybercriminals could target devices that already have virtual machine environments, in this case they seem to have downloaded the tools that allow them to "run". Dick O'Brien, director of the Symantec Threat Hunter Team, pointed out that one how to deal with it This is to monitor and control which software is installed on machines so that potentially malicious but legitimate tools cannot be downloaded without approval.
Source of information: zdnet.com