It would seem the people who create and name malware/ransomware/etc. have the same affinity for pop culture references that I do. I predict that one day I’ll wake up to the news that a particularly dangerous piece of software called “The Parrot Sketch” is tearing up enterprises left and right the world over.
Today, sadly, is not that day.
Instead, the piece of nasty software we’ll be discussing is Ragnar Locker, named of course, after Ragnar Lodbrok, a legendary Danish King, the star of the hit TV show, Vikings. It’s honestly a fitting name for a piece of software designed to deliver malware.
What/Who is Ragnar Locker?
Ragnar Locker is both a group and a piece of ransomware software. In the past, the Ragnar Locker group had focused their attacks on Windows Remote Desktop Protocols (RDP) to steal valuable information and hold the information’s owner for ransom. Recently the group attacked Energias de Portugal, an electrical utility. They stole 11 terabytes of data and held EDP for a ransom worth $11 Million US.
How does it work?
In the past, the group has focused on leveraging RDP vulnerabilities to install its ransomware and exfiltrate data. After gaining administrative access, they’d use things like Powershell or Windows Group Policy Objects to wreak havoc.
Now they’re doing things very differently. Instead of using their old, tried and true method of delivery, the sneaky buggers have pulled a new trick out of their hat. Now, Ragnar Locker leverages an Oracle VirtualBox Windows XP virtual machine to hide in plain sight.
Ragnar Locker used a Group Policy Option (GPO) task to run a Microsoft Installer (msiexec.exe). The EXE file then quietly installs a 122 MB, unsigned MSI package from a web server.
According to Sophos.com, the MSI package includes:
- A working installation of an old Oracle VirtualBox hypervisor (specifically a Sun xVM VirtualBox vers. 3.0.4)
- A virtual disk image file (VDI) named micro.vdi – a stripped-down version of the Windows XP SP3 OS – called MicroXP v0.82. This is the file that contains the Ragnar Locker ransomware.
The MSI deploys additional files and executables including:
- va.exe
- install.bat
After being installed, the MSI executes va.exe, which then initiates the intall.bat batch script. The first thing the script does is to register and run application extensions and necessary drivers. The application extensions are:
- VBoxC.dll
- VBoxRT.dll
The driver is:
- VboxDrv.sys
After being installed, the script stops the Windows Shell Hardware Detection service to disable the WindowsAutoPlay notification functionality. After that, the script executes a command to delete the endpoint’s shadow copies so that backups can’t be used to restore unencrypted files.
With that done, the install.bat script numbers all the local discs, connected drives and any mapped network drives on the endpoint. It then configures them to be accessed via the virtual machine.
After running a few more executables and making itself feel nice and cozy in its new home and begins to make a mess, ultimately encrypting the endpoint and locking the end-user out entirely. The only thing they’ll be able to see once the ransomware is installed is this lovely, personalized message:
As of right now, I can’t seem to find any information regarding how exactly the ransomware is solicited but I wouldn’t be surprised if it were via email and a lack of attention or security awareness training from the end-user. It is always incredible to me, dear reader, how many of these attacks could be stopped if people had the necessary training and knowledge.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.
