New Ransomware Employs Never-Before-Seen Attack Method

Published at: May 22, 2020

A new study warns of a new ransomware attack method that runs a virtual machine on target computers in order to infect them with the ransomware. This may play the attack beyond the reach of the computer’s local antivirus software.

According to the UK-based cybersecurity firm Sophos, the Ragnar Locker attack is quite selective when choosing its victims. Ragnar’s targets tend to be companies rather than individual users.

Almost 1,850 BTC in ransom demanded in a single attack

Ragnar Locker asks victims for large amounts of money to decrypt their files. It also threatens to release sensitive data if users do not pay the ransom.

Sophos gave the example of the network of Energias de Portugal, who stole ten terabytes of sensitive data, demanding payment of 1,850 Bitcoin (BTC) in order not to filter the data. 1,850 BTC is worth roughly $11 million as of press time.

The modus operandi of ransomware is to take advantage of vulnerabilities in the Windows remote desktop app, where they obtain administrator-level access to the computer.

With the necessary permissions granted, attackers configure the virtual machine to interact with the files. They then proceed to boot up the virtual machine, running a stripped-down version of Windows XP called “Micro XP v0.82.”

Ransomware tactics are getting more “insidious and extreme” 

Speaking with Cointelegraph, Brett Callow, threat analyst at malware lab Emsisoft, provided more details on Ragnar Locker: 

“The operators have recently been observed to launch the ransomware from within a virtual machine to avoid detection by security products. Like other ransomware groups, Ragnar Locker steals data and uses the threat of its release as additional leverage to extort payment. Should the company not pay, the stolen data is published on the group’s Tor site.” 

Callow claims that the tactics deployed by ransomware groups are becoming ever more “insidious and extreme”, considering that the ransomware gangs behind Ragnar Locker now threaten to sell the data to the victim’s competitors or use it to attack their customers and business partners.

The threat specialist from Emsisoft adds the following:

“Companies in this situation have no good options available to them. Even if the ransom is paid, they simply have a pinky-promise made by a bad faith actor that the stolen data will be deleted and not misused.”

Recent ransomware attacks

On May 10, Cointelegraph reported on a study by Group-IB that revealed another type of ransomware that uses banking trojans to attack governments and companies, raising the red flags among the cybersecurity community and the FBI.

A ransomware gang called REvil also recently threatened to release almost 1TB of private legal secrets from the world’s biggest music and movie stars, such as Lady Gaga, Elton John, Robert DeNiro, Madonna, among others.

Tags
Related Posts
Ransomware Gang Auctions Off US Healthcare Data for Bitcoin
Crozer-Keystone Health System recently suffered a ransomware attack by the NetWalker ransomware gang. The gang is now auctioning the system’s stolen data through its darknet website. If it is not purchased at auction within six days, the gang has vowed to leak the data. On June 19, Cointelegraph was able to access the alleged publication. There appeared to be dozens of folders with an undisclosed amount of data, mostly concerning finances, but nothing related to medical records of patients. The gang claims that Crozer-Keystone Health System failed to pay for the ransom they demanded in Bitcoin (BTC). Crozer-Keystone is a …
Bitcoin / June 19, 2020
Robotics Company Falls Prey to Ransomware Attack
Ransomware gang REvil, known for launching stolen data auctions on the dark web, is now leaking sensitive documents stolen from a US-based robotics company. According to an official blog post from REvil on June 11, the team has started leaking confidential data belonging to Symbotic LLC. The post noted: “You do not want to speak with us and you probably think that we will not publish your data. We are already publishing.” The cybercriminal group stated that they’d created a website and paid for the hosting for a year. They threatened to make the robotics company’s data visible for “a …
Technology / June 12, 2020
Ransomware Gang Strikes Again With More Auctions Listing Stolen Data
Ransomware group REvil has started another auction on the dark web listing sensitive data stolen from two US-based law firms. The listing appeared June 6 through REvil’s official blog on the darknet, where bidders look to acquire 50GB of data from Fraser Wheeler & Courtney LLP and 1.2TB of data from the database of Vierra Magen Marcus LLP. Information auctioned includes client information, internal documentation of the company, electronic correspondence, patent agreements, business plans and projects, as well as new technologies that have yet to be patented. IP-related law firm among the victims The law firm Vierra Magen Marcus LLP …
Technology / June 8, 2020
New Ransomware Uses a Banking Trojan To Attack Governments and Companies
A new type of ransomware attack emerged in recent months, raising red flags among the cybersecurity community and authorities such as the FBI in the United States. Cybersecurity firm Group-IB has warned that it comes in the form of a Trojan, according to a report published on May 17. According to Group-IB’s study, the ransomware is known as ProLock and relies on the Qakbot banking trojan to launch the attack and asks the targets for six-figure USD ransoms paid out in BTC to decrypt the files. The roster of victims includes local governments, financial, healthcare and retail organizations. Among them, …
Bitcoin / May 19, 2020
Colorado Hospital Patient Information System Hit by Crypto Ransomware
Hackers have infected the infrastructure of Parkview Medical Center — the largest health center in Pueblo County, Colorado — with cryptocurrency ransomware. Citing a hospital employee, Fox News reported on April 24 that Meditech — the Parkview Medical Center’s system for storing patient information — was infected with ransomware and rendered inoperable. The hospital confirmed the incident in a statement: “On Tuesday, April 21, Parkview Medical Center was the target of a cyber-incident which has resulted in an outage in a number of our IT systems.” As Cointelegraph recently reported, ransomware attacks against hospitals are ongoing, despite the fall in …
Technology / April 29, 2020