This interesting method to bypass security controls is yet another example of why detecting threats before they can progress to the point of ransomware is crucial. Security analysts and threat hunters should be on the lookout for VirtualBox running on computers of end-users who are not expected to use virtual machines as part of their work and also detect VboxHeadless.exe modifying a large number of document and spreadsheet files on the host machine’s file system. As RagnarLocker primarily uses RDP brute-forcing and exploits to access networks, securing services open to the internet (like RDP/SMB/etc.) is an important step to securing the environment. Additionally, ensuring that 24/7 endpoint and network monitoring are in place will help to detect threats such as RagnarLocker during their reconnaissance stage before they can drop ransomware.

Ragnar Locker ransomware deploys virtual machine to dodge security