Computer Security is a great issue today in the tech industry. User data is the main concern for companies. The data needs to be secure in that, it is not altered in any way, not deleted from the firm servers since they have been trusted with it and finally the data should be easily accessible to the users. However, with advancements in security also comes a challenge for black hat hackers. Antivirus software are being deployed into many machines to avoid intrusion into the network to avoid any breach in the data since the legal implications are not favorable to the defendant.
Ragnar locker is a computer ransomware gang who come up with various people who they are going to be their use cases. The gang avoids the consumers who are at home but will not think twice about going for corporations as well as organizations created by governments. This gang has recently come up with a new way to create, not only a safe environment for them to carry out their activities but also a way to avoid detection. Ragnar locker have achieved this via the use of virtual machines by installing the Virtual box application and running under whatever environment they want usually Windows XP.
The gang’s activities were discovered by a cyber-security firm located in the United Kingdom known as Sophos. This displays how crafty and skilled the hackers are as well as their determination to get into computer systems and keep their activities unknown. They have achieved this via the use of open endpoints of the Remote Desktop Protocol, leveraging the Managed Service Provider (MSP) tools to help them get access to the intranet.
Ragnar locker group then release their software which is customized to fit various victims according to their preferences, and they then ask for a lot of money to release the computers. The amount even ranges between tens and hundreds of thousands of United States Dollars. This feat is achieved via having the ransomware install Oracle VirtualBox which is meant to host virtual machines. The configuration is preset to allow for the access of all the drives present within the premises (local drives) and those which are shared with the infrastructure (shared drives).
Finally, the environment then runs a version of the Windows XP SP3 that has been simplified that has the name MicroXP version 0 point 82. The ransomware is then run in the virtual environment to avoid detection from antivirus software. When the encryption of the local and shared files is done by the software, the antivirus view this as a simple update in the version of encryption therefore bypassing the antivirus check. The Oracle VirtualBox will be logged as the process that modified the files.
With this information, even the director of engineering and threat mitigation at Sophos (Mark Loman) admitted that this is a whole new kind of work-around in the ransomware environment. Loman claims that, “In the last few months, we’ve seen ransomware evolve in several ways but the Ragnar Locker adversaries are taking ransomware to a new level and thinking outside the box.”. These are new ways that created to gain access to computers which continues to show how sophisticated computer security is.