Sophos, the UK-based cybersecurity firm, has revealed that new details of Ragnar Locker ransomware attack, which runs a virtual machine on target computers in order to infect them with the ransomware, as this may play the attack beyond the reach of the computer’s local antivirus software.
It has been reported that the Ragnar Locker attack is quite selective when choosing its victims, as it’s targets tend to be companies rather than individual users.
However, Ragnar Locker asks victims for large amounts of money to decrypt their files. It also threatens to release sensitive data if users do not pay the ransom.
As per the report, Sophos gave the example of the network of Energias de Portugal, who stole ten terabytes of sensitive data, demanding payment of 1,850 Bitcoin (BTC) in order not to filter the data. 1,850 BTC is worth around $11 million as of press time.
The modus operandi of ransomware is to take advantage of vulnerabilities in the Windows remote desktop app, where they obtain administrator-level access to the computer.
With the necessary permissions granted, attackers configure the virtual machine to interact with the files, as they proceed to boot up the virtual machine by running a stripped-down version of Windows XP called “Micro XP v0.82.”
Brett Callow, the threat analyst at malware lab Emsisoft, said:
“The operators have recently been observed to launch the ransomware from within a virtual machine to avoid detection by security products. Like other ransomware groups, Ragnar Locker steals data and uses the threat of its release as additional leverage to extort payment. Should the company not pay, the stolen data is published on the group’s Tor site.”
Also, Callow states that the tactics deployed by ransomware groups are becoming ever more “insidious and extreme” by considering that the ransomware gangs behind Ragnar Locker now threaten to sell the data to the victim’s competitors or use it to attack their customers and business partners.
Thus, Callow added:
“Companies in this situation have no good options available to them. Even if the ransom is paid, they simply have a pinky-promise made by a bad faith actor that the stolen data will be deleted and not misused.”