Recently, RagnarLocker has been found using Microsoft Installation (MSI) files to stealthily package a VirtualBox installer and malicious disk image. VirtualBox is a free program made available by Oracle that allows computer users to run a virtual machine with a completely separate operating system in software, using files to virtually represent physical disks. Contained on the malicious disk image is a 49KB RagnarLocker binary. By running the installer to launch VirtualBox and loading the malicious disk image, RagnarLocker can stealthily execute the program inside the VM environment and then spread to the host by enumerating all available drives and mounting them as a shared folder. Using this technique, RagnarLocker can bypass many anti-virus security controls, as files are encrypted by the non-malicious process, VboxHeadless.exe.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security