Recently, RagnarLocker has been found using Microsoft Installation (MSI) files to stealthily package a VirtualBox installer and malicious disk image. VirtualBox is a free program made available by Oracle that allows computer users to run a virtual machine with a completely separate operating system in software, using files to virtually represent physical disks. Contained on the malicious disk image is a 49KB RagnarLocker binary. By running the installer to launch VirtualBox and loading the malicious disk image, RagnarLocker can stealthily execute the program inside the VM environment and then spread to the host by enumerating all available drives and mounting them as a shared folder. Using this technique, RagnarLocker can bypass many anti-virus security controls, as files are encrypted by the non-malicious process, VboxHeadless.exe.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in