VMs Help Ransomware Attackers Evade Detection, But Its Uncommon

Some ransomware attackers use virtual machines to bypass security detection, but adoption is slow for the complicated technique.

Security researchers have discovered another ransomware group using virtual machines (VMs) to slip past defensive tools on target devices. While effective in hiding ransomware activity, this tactic is more complex than a traditional ransomware attack and may hamper the attackers efforts.
The trend emerged last year, when Sophos researchers found
Ragnar Locker ransomware
was being deployed as a full VM on each targeted device to hide the ransomware from view. A few months later, the
Maze ransomware group
was spotted using the same technique, albeit with some differences. Ragnar Locker was deployed inside an Oracle VirtualBox Windows XP VM, for example, while the Maze-delivered VM was running Windows 7.
Now Symantec researchers have found
another group using VMs
to run ransomware payloads on compromised machines. In this case, the attackers had installed a VirtualBox VM on some infected computers, and the VM they used appeared to be running Windows 7, they report.
While the payload running in the VM was not identified, there are reasonably strong indicators that its Conti: A username and password combination used in the attack had been previously linked to older Conti activity in April. However, on the same computer that the VM was deployed, Symantec also saw Mount Locker ransomware being deployed.
This was strange, they say, as the purpose of running a payload in a VM is to evade detection. It didnt make sense to also deploy it on the host machine. Researchers hypothesize the attacker could be an affiliate with access to both Conti and Mount Locker. They may have tried to run a payload on a VM, and when that didnt work, they chose to run Mount Locker on the host.
The primary goal with this tactic is to evade detection by hiding the attack in a VM so the encryption process flies under the radar. Attackers map file shares on the network from inside the VM and encrypt them, rather than running the ransomware natively on the machine.
While more subtle, this technique is more difficult for the attackers to pull off, notes Dick OBrien, principal editor for the Symantec Threat Hunter team.
Its adding another degree of complexity, he says of the use of VMs. You have to set up the virtual machine so that it has permissions to encrypt files, or access files, on the host computer.
In this case, the Symantec team suspects the attackers didnt get it exactly right.
Stealth, But Complicated
When Sophos first detected Ragnar Locker using VMs, the researchers expected it to be a growing trend. A virtual machine is legitimate software, so it shouldnt raise any red flags on traditional antivirus tools and let attackers operate unnoticed. But months went by before they spotted Maze using the technique in September 2020.
The challenges are immense on the criminal side, says Chet Wisniewski, principal research scientist at Sophos, of why he thinks the use of VMs in ransomware attacks is still uncommon. Its a complicated – and slow – way to launch a ransomware attack.
A virtual machine is a big file – its something that can be noticed and detected, and it would likely be blocked by existing security mechanisms, he notes. Its not something a business would expect to have downloaded through its firewalls or for IT to permit in its environment.
Further, he adds, most servers attackers are targeting already are virtualized. This means theyre running a VM inside a VM, which isnt the most reliable strategy when locking up someones files. Big-game groups after multimillion-dollar ransoms have a pattern, he says. They break in, stay silent, find the sensitive data they plan to encrypt, and trigger an attack within seven to 10 days. Usually this starts in the evening or on a Friday, so they have more time to encrypt the files.
If you start doing this from a virtual machine, youre amplifying the amount of time its going to take – another negative for criminals for this tactic, Wisniewski adds. Because VMs are slower and its a mapped network drive, its significantly slower than doing the encryption operation natively on the computer itself.
He notes that attackers who use this technique will only do so if it makes sense for a specific victim. Legacy environments are especially vulnerable here. If a group with admin credentials breaks in and notices a business is running legacy antivirus managed locally, they can turn it off. If its cloud-based and theres no multifactor authentication, they can turn it off there, too.
Once they break into each victim, theyre reacting to whats around them, he says.
Legacy environments are less likely to have security tools that react to a technique like this one. A reason this tactic is still rare is it will only work in scenarios where it can work around the security tools in place.
How Businesses Can Respond
Organizations aware of this technique are advised to take steps to defend against attackers.
I think awareness is really key in terms of knowing how they get into your organization and how they get across your network, in terms of obtaining credentials and moving laterally, says OBrien, who urges businesses to regularly change their credentials and limit users to activity theyre meant to be doing. If someone has no reason to create a VM, block them from doing it.
Be a bit more rigid in terms of the policies you apply, he adds.
In general, its not a bad idea to block these applications from being used where they shouldnt be used, Wisniewski says. He refers to VirtualBox, which is commonly used in these attacks, as something that should both be blocked from running in your environment or detected when its installed or downloaded somewhere unusual.
That should never happen on a server, he says. It may run on a workstation, but virtualization software wouldnt normally run on a server.
The same ransomware defense advice still applies here, he notes. Where it pivots is in detecting the virtualization process and ensuring servers have security software installed rather than expecting endpoint protection tools will protect them from these kinds of attacks.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
VMs Help Ransomware Attackers Evade Detection, But Its Uncommon