Recently, RagnarLocker has been found using Microsoft Installation (MSI) files to stealthily package a VirtualBox installer and malicious disk image. VirtualBox is a free program made available by Oracle that allows computer users to run a virtual machine with a completely separate operating system in software, using files to virtually represent physical disks. Contained on the malicious disk image is a 49KB RagnarLocker binary. By running the installer to launch VirtualBox and loading the malicious disk image, RagnarLocker can stealthily execute the program inside the VM environment and then spread to the host by enumerating all available drives and mounting them as a shared folder. Using this technique, RagnarLocker can bypass many anti-virus security controls, as files are encrypted by the non-malicious process, VboxHeadless.exe.
This interesting method to bypass security controls is yet another example of why detecting threats before they can progress to the point of ransomware is crucial. Security analysts and threat hunters should be on the lookout for VirtualBox running on computers of end-users who are not expected to use virtual machines as part of their work and also detect VboxHeadless.exe modifying a large number of document and spreadsheet files on the host machine’s file system. As RagnarLocker primarily uses RDP brute-forcing and exploits to access networks, securing services open to the internet (like RDP/SMB/etc.) is an important step to securing the environment. Additionally, ensuring that 24/7 endpoint and network monitoring are in place will help to detect threats such as RagnarLocker during their reconnaissance stage before they can drop ransomware.