Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Using VMs To Hide Ransomware Attacks is Becoming More Popular 41

An anonymous reader shares a report: In early 2020, security researchers were baffled to discover that a ransomware gang had come up with an innovative trick that allowed it to run its payload inside virtual machines on infected hosts as a technical solution that bypassed security software. One year later, that technique has spread among the cybercrime underground and is now used by multiple ransomware operators. Initially seen with the Ragnar Locker gang in May 2020, the technique was also adopted by a Maze ransomware subgroup later in the year and has been recently spotted in attacks where the Conti and MountLocker ransomware strains were deployed. In hindsight, it should be no surprise that this technique is becoming more popular, as it has tangible benefits for any threat actor. The general idea behind such an attack is that a ransomware gang that has a small foothold on an infected host can download and install VM software. The ransomware gang will then start a VM instance, share the host computer's storage space with the VM, and then proceed to encrypt the victim's files from within the VM, where the host's antivirus software cannot reach and detect the ransomware during execution.
This discussion has been archived. No new comments can be posted.

Using VMs To Hide Ransomware Attacks is Becoming More Popular

Comments Filter:
  • SMB? (Score:1, Insightful)

    So the entire thing is dependent on the target sharing files via SMB. Furthermore, a new VM isn't going to have domain credentials and unless I missed something, the targeted files would have to allow full access to the 'Everybody' group, which no one does. It's smart, but I feel like we're missing about half of the analysis here.

    • I imagine it's good that enclaves [vmware.com] didn't become a thing.

      • I imagine it's good that enclaves [vmware.com] didn't become a thing.

        I'm pretty sure they did become a thing but it's such a rarely used feature that only whitelisted programs could use it without being identified as a threat.

    • Re:SMB? (Score:5, Informative)

      by Artem S. Tashkinov ( 764309 ) on Monday June 28, 2021 @10:54AM (#61529774) Homepage

      Looks like you've never actually used VMs.

      Both VMWare WorkStation and VirtualBox, the two most popular Windows hypervisors, use their own file sharing protocol which does not use SMB/CIFS on the host PC. No target file sharing ever occurs in any capacity.

    • by bws111 ( 1216812 )

      Where does it say anything about SMB? This sounds like they install some sort of mini hypervisor that gives access to the same resources to two 'VMs' - the 'real' OS and the malware. The 'real' OS is not aware of the existence of the other VM, so it can't do anything about it.

    • > I feel like we're missing about half of the analysis here.

      How else are they going to not mention Microsoft Windows :]
    • by EvilSS ( 557649 )
      Like others stated, the hypervisor may be using a more direct method than SMB to access the local files. Even so, the fact that the malware has the ability to run a hypervisor on the system indicates it's found a way to run in an elevated state on that PC, so enabling SMB and setting it to the everyone group would be within it's capabilities on most domain joined Windows systems. And before you think about group policy stopping that, keep in mind that if you have local admin, you can neutralize group policy
    • by Junta ( 36770 )

      The general setup seems to be 'innocuous script that can't be discerned from a real admin wanting to do these things'.

      So 'set up (file share whatever technology) with vm guest, read-write (very valid use case, not blatantly malicious if the user actually wants this to happen)' is just part of the script to start.

      This of course requires first that you've either broken in to run things as the user in a way the system thinks it's an authorized user, or a trojan payload. However once that has been achieved, the

      • by PPH ( 736903 )

        So 'set up (file share whatever technology) with vm guest, read-write

        I see the problem right here. 'guest' shouldn't have read-write privileges on anything important in an organization. No normal user should. The worst that I (or a malicious script) should be able to do is to erase or encrypt my own local files. My bookmarks, local e-mail folders and cute desktop picture on my PC. And the copy of the company spreadsheet that I checked out of our document management system. Too bad. I have to do yesterday's work all over again. Nothing I, as a standard user, have permission t

        • by Junta ( 36770 )

          The thing is, the first payload is a 'set up a vm guest', which could be innocuous or malicious, it's really not possible to tell if the script is 'start a vm and give it access to my home directory'.

          The worst that I (or a malicious script) should be able to do is to erase or encrypt my own local files. My bookmarks, local e-mail folders and cute desktop picture on my PC

          Yes, that is plenty. Sure it's a huge bonus if it can wreak havoc on a set of corporate files. If my laptop was somehow trashed, then I consider it pretty disposable and I would be more annoyed than screwed. If the guest can read my ssh keys, well, it's still safe because the passphrase on those keys are pretty

          • by Junta ( 36770 )

            Sorry, I meant it's difficult for anti-malware software to tell the difference, a user could easily know what's going on if they are paying attention, but again, anti-malware is dealing with a more uphill battle.

  • In a short while, we'll see some console emulator being used as a platform to launch malware from.

    • That is already a thing. Especially if you get your download from a sketch site.
      • by kyoko21 ( 198413 )

        i mean bad actors somehow install a legitimate emulator that seems perfectly benign. at the same time, download a .nes or .smc file that instead of holding a game, it contains some nasty malware that instead of playing a game, it somehow does something nasty. both items which by itself could potentially pass virus detection, especially if the malware is some weird 0-day ROM file. i don't know how good various virus scanning systems are at scanning various ROMs that are potentially dumped for different platf

        • Emus don't seem all that great of a vector to me.
          I can see them failing with normal things people do to poison software, but they are relatively niche. Not many installs. Compared to other stuff out there. You can check a ROM file by running a MD5 check.
          • by tlhIngan ( 30335 )

            Emus don't seem all that great of a vector to me.
            I can see them failing with normal things people do to poison software, but they are relatively niche. Not many installs. Compared to other stuff out there. You can check a ROM file by running a MD5 check.

            If you can find an emu to do it, changing the hash is trivial since practically all emulators will run malformed ROMs just fine. As long as the basic machine code is correct the emulator will run them. It's trivial to change a few bytes in the ROM (or disk i

          • Emus don't seem all that great of a vector to me.

            Remember that they won a war against the Australian army:
            https://en.wikipedia.org/wiki/... [wikipedia.org]

  • I mean, if they are downloading and installing VM software, it's not like that can't be identified and blocked, right?

    Or at least ask, "Hey, do you really want to install this VM software on your system?", I think that's an easy start...

    • by bobm ( 53783 )

      I came to ask the same, you would think that a VM would have some interesting hooks into the OS that could be caught with a scan. Also they would need so get some drivers, etc that should be searchable.

    • Yeah, enterprises can stop this easily I would think. Windows should also disable built-in VM capabilities on all PCs by default and require a UAC dialog confirmation to turn it on. Most users probably don't need it. That said they are implementing some features which require it last I checked, such as Windows Sandbox, so this might not be as viable as I'm thinking depending on how popular those features are.

      It wouldn't surprise me if consumer AV solutions will respond by marking legitimate VM software inst

      • Hyper-V is shipped off by default, and for things like Windows Sandbox or Credential Guard, those ship on, if possible. If a user doesn't have admin rights, and they are not in the Hyper-V admin group, this is really not a concern.

        Of course, I'm expecting the AV witch hunt with regard to virtual machines, just as a selling point for their next rev of stuff.

    • Yep, it's a problem; it's not an unsolvable problem.

      Yes, that's an appropriate response that security teams will take. We'll see this news, this morning, and go make sure that VM software is on the naughty list. That'll be a little hassle for anyone who needs to use virtual machines for legitimate purposes.

      • by mysidia ( 191772 )

        VTx is a CPU feature -- small blue-pill style attack can be easily concealed. By time AV patterns can be updated the host OS is already executing inside a VM and cannot see the VMM, so putting VM software on the list doesn't really solve it.

        The access to this basic hardware feature needs to get shut off or restricted at a higher level for systems where it is not required -- ultimately it's a problem for Microsoft + VMware to solve.

        • by chill ( 34294 )

          Windows Subsystem for Linux would like a word with you.

          I'm not sure I've ever worked at a company that had its shit together enough to support multiple BIOS configurations for end-user machines.

        • VTx is thirteen instructions which allow the OS to instruct the processor to do the following:

          Enter VMM non-root mode (software can't access certain hardware features)

          Activate extended page tables (software can't see all the ram)

          Lock the TPM (software can't access secrets)

          Run the software (VMware, Virtualbox)

          Undo the above items

          In other words the VTx instructions allow the host OS to lock things down so that the guest can't do anything untoward. Not the other way around.

          The VTx instructions allow the host O

          • by mysidia ( 191772 )

            The VTx instructions allow the host OS to lock out Virtualbox; they do not allow Virtualbox to lick out the OS.

            Only because VirtualBox specifically is not malware and not designed to do it that way in a BP attack the host OS is switched into a virtual machine without its knowledge.

            • > > The VTx instructions allow the host OS to lock out Virtualbox; they do not allow Virtualbox to lick out the OS.

              > Only because VirtualBox specifically is not malware and not designed to do it that way

              Software applications do not design and build the CPU that they run on. The hardware CPU is locked into those states. The application cannot change it. Specifically, the instruction to enter root mode is what we call a "privileged" instruction. For an application to call the instruction results in t

    • by Artem S. Tashkinov ( 764309 ) on Monday June 28, 2021 @11:41AM (#61529966) Homepage

      Software virtualization is still a thing, you know. Can be run entirely from user space without any kernel drivers. Slower, of course, but it will be more than enough to do almost everything.

      What's more it can be run even in a web browser: https://bellard.org/jslinux/ [bellard.org]

      What's even scarier is that you can run code from other uArchs which will render your AV solutions 100% useless even if they somehow learn to recognize x86 virtualization being used. What's even scarier is that smart hackers may use their own CPU instruction set.

      • Oh, and nothing stop hackers from using DRM, e.g. Denuvo, so the payload becomes encrypted. It's expensive, of course, but state actors/well-off hackers have enough money to purchase a license.
        • by Anonymous Coward

          I can see ransomware groups using DRM, then hitting people who make decryptors with DMCA notices, since technically the mechanics of ransomware are protected under WIPO. Only a matter of time before we go down that rabbit hole.

          • by mysidia ( 191772 )

            The groups would not get far there: Since the very business that would be harmed is software for facilitating extortion --- they would not be able to even appear to plead their case.. As they would be rejected and likely arrested on the spot

      • by Entrope ( 68843 )

        User-space virtualization losers the benefit of hiding the activity -- both in terms of executable code and system/library call sequences -- from antivirus software. This technique is only worthwhile (from an attacker's perspective) when it can use kernel-level virtualization.

      • by swilver ( 617741 )

        It's almost like allowing websites to download arbitrary code and executing is might be a bad idea...

    • by Junta ( 36770 )

      The complexity of the payload and their ability to fidget with it before copying presumably makes the 'blacklist' approach more difficult.

      To oversimplify, say today anti-malware had to deal with variant code, but ultimately the 'business' part of the payload is somewhere in a vbs, ps1, bat, cmd, or exe file. So software could modify itself before copy, but some normalization routine and then process would almost certainly have a tell-tale portion that can't really modify and be detected, and the universe of

  • "security researchers were baffled to discover that a ransomware gang had come up with an innovative trick that allowed it to run its payload inside virtual machines on infected hosts

    How did these Windows computers get infected in the first place.
    • by Junta ( 36770 )

      From what I've seen, it starts with someone doing something an email tells them to without thinking, click link, follow instructions that say "do this immediately or you will lose your data" somehow, instilling a sense of 'I have no time to double check it, my data matters too much'.

      Exacerbated by some critical mass of internal systems that have 'password' or similarly dumb admin password, and 'everyone can read and write' file shares that some people insanely set up in the first place, and even worse actua

  • I think we will eventually reach a *solution* where the user does not have access to system resources anymore. I despise being locked out of my phone, but *think about the children*, .. sorry *think about the users*, people being lazy someone (windows 11?) will offer a solution in terms of locking out those pesky malware, alongside with converting your personal computer into an appliance.

    There have been several attempts at this. There were "web platforms", like Java Web Start, and Microsoft Silverlight/Clic

  • I would really love to have a lightweight VM host software and minimal guest OS that could do things like this. Where's the version of this software for the rest of us?

  • I've been doing the reverse of this for over 10 years so I wouldn't have to depend on antivirus. Yea malware can break out of a VM blah blah blah, it doesn't actually happen outside targeted attacks though.

To stay youthful, stay useful.

Working...