Using VMs to hide ransomware attacks is becoming more popular

In early 2020, security researchers were baffled to discover that a ransomware gang had come up with an innovative trick that allowed it to run its payload inside virtual machines on infected hosts as a technical solution that bypassed security software.

One year later, that technique has spread among the cybercrime underground and is now used by multiple ransomware operators.

Initially seen with the Ragnar Locker gang in May 2020, the technique was also adopted by a Maze ransomware subgroup later in the year and has been recently spotted in attacks where the Conti and MountLocker ransomware strains were deployed.

In hindsight, it should be no surprise that this technique is becoming more popular, as it has tangible benefits for any threat actor.

The general idea behind such an attack is that a ransomware gang that has a small foothold on an infected host can download and install VM software.

The ransomware gang will then start a VM instance, share the host computer's storage space with the VM, and then proceed to encrypt the victim's files from within the VM, where the host's antivirus software cannot reach and detect the ransomware during execution.

Once the encryption process finishes, the VM instance is discarded, which also has a secondary benefit for the attacker, as it discards large a large quantity of crucial forensic evidence that could aid defenders in the subsequent investigative and clean-up phase.

Security firm Symantec, which detected the most recent wave of VM-disguised ransomware attacks, urged organizations to add detection rules for the unauthorized installation of virtual machine software on their networks.