RagnarLocker Ransomware: Deploys Oracle VirtualBox VM to hide itself from antivirus software

The RagnarLocker group is already known for carefully selecting targets, avoiding private users, and instead targets corporate networks, managed service providers, and government organizations.

In past attacks, the operators have used various attack vectors, such as exploiting an insecure RDP configuration, using email spam with malicious attachments, botnets, deceptive downloads, exploits, malicious ads, web injects, fake updates, repackaged and infected installers. Now, for the first time, the gang has been observed abusing virtual machines during an attack.

The operators of the RagnarLocker ransomware are installing the VirtualBox app and running virtual machines on computers they infect in order to run their ransomware in a "safe" environment, outside the reach of local antivirus software.

What Happened?

The operators of the RagnarLocker ransomware were spotted running Oracle VirtualBox to avoid detection and hide their presence while attacking a victim inside a Windows XP virtual machine.

The ransomware downloads and installs Oracle VirtualBox then configures it to give full access to all local and shared drives, allowing the virtual machine to interact with files stored outside its own storage.

The VirtualBox app will replace files on the local system and shared drives with their encrypted versions. These file modifications can’t be detected as the ransomware's malicious process by an antivirus software.

The group has targeted victims in the past by abusing internet-exposed RDP endpoints and has compromised MSP (managed service provider) tools to breach companies and gain access to their internal networks.

On these networks, the RagnarLocker group deploys a version of their ransomware -- customized per each victim -- and then demands an astronomical decryption fee in the tune of tens and hundreds of thousands of US dollars.

Because each of these carefully planned intrusions represent a chance to earn large amounts of money, the RagnarLocker group has put a primer on stealth and has recently come up with a novel trick to avoid detection by antivirus software.

The Virtual Machine Trick:

Instead of running the ransomware directly on the computer they want to encrypt, the RagnarLocker gang downloads and installs Oracle VirtualBox, a type of software that lets you run virtual machines.

The group then configures the virtual machine to give it full access to all local and shared drives, allowing the virtual machine to interact with files stored outside its own storage.

The next step is to boot up the virtual machine, running a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82.

The final phase is to load the ransomware inside the virtual machine (VM) and run it. Because the ransomware runs inside the VM, the antivirus software won't be able to detect the ransomware's malicious process.

From the antivirus software's point of view, files on the local system and shared drives will suddenly be replaced with their encrypted versions, and all the file modifications appear to come from a legitimate process -- namely the VirtualBox app.

According to Mark Loman, director of engineering and threat mitigation at Sophos, this is the first time a ransomware gang abuse virtual machines during an attack.


The following best practices are recommended to be followed:

  • Scan the computer using legitimate anti-spyware or antivirus software to eliminate possible infections. 
  • Users should maintain regular up-to-date backups. Keep it on a separate device and store it offline.
  • Follow safe practices when browsing the Internet.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.