Yuen Pin Yeap, CEO at NeuShield
The Attack from Within
Recently a hacker group has devised a clever but sinister Fully UnDetectable (FUD) ransomware attack that is very difficult to detect. By running inside a prepackaged virtual machine (VM) that contains the RagnarLocker ransomware, it can use the VM’s own security isolation features to prevent detection. The compact Micro Windows XP VM is hosted by the Oracle’s VirtualBox with the proper addons to allow it full access to all the files visible by the host. As the hypervisor shields the hostile VM from the host’s security system, the VM can run undetected and encrypt all files on the host.
The knowledge of this ransomware led us on a mission to see if NeuShield Data Sentinel could recover data from this type of attack. To find out, the NeuShield team attempted to replicate the attack in their lab and record the effects of the ransomware on the host data and security system and record the results in a video. The test consists of a copy of the RagnarLocker ransomware, which was obtained from the wild and put inside a Micro XP image. The malware itself is only about 40KB in size, but the Windows XP image is about 250MB and is host by a copy of legitimate Oracle VirtualBox. A fully patched and protected Windows 10 64bit host is used in the test, along with 2.5GB of data spread across multiple local and cloud folders.
After launching from inside the VM, RagnarLocker took about 5 minutes to encrypt 2.5GB of data on the host. It also added an extension ‘.ragnar_XXXXXX’ to all damaged files. As expected, the security software on the host was not able to detect any anomaly. All data on the local and cloud drives that were accessible by the host were damaged by the ransomware. For each folder that the ransomware traversed, it placed a copy of the ransom note. An example of the ransom note is shown below:
Hello VICTIM’S NAME!
*****************************************************************************************************************
If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED
by RAGNAR_LOCKER !
*****************************************************************************************************************
*********What happens with your system ?************
Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US.
You can google it, there is no CHANCES to decrypt data without our SECRET KEY.
But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY.
…For this ransomware, it was relatively easy to clean by simply deleting the VM images and uninstalling the unwanted hypervisor. In a real attack scenario, NeuShield recommends that customers use One-Click Restore to undo any changes made to the operating system by the ransomware or an outside attacker. However, for the purposes of this demo, we skipped ahead to the part of using Mirror Shielding™ to recover the data. As depicted in the video, all data was recovered easily and quickly.
In summary, NeuShield predicts that attacks of this nature may become more common, especially against high value targets, because it is relatively easy to evade detection using the tools hackers already have access to. In addition, the latest Windows ecosystem comes with a built-in hypervisor, called Hyper-V, that can be easily enabled, which makes it even more convenient to launch this type of attack. As such, it is important for business to be ready. Having a good and active endpoint security system to block attacks is crucial, but it may be even more imperative to have a good recovery plan and effective tools to prepare for the inevitable.