Malware developers have a new trick up their sleeve when it comes to evading detection – hiding their code inside a virtual machine.
Researchers at Sophos recently discovered a ransomware attack that uses a “VirtualBox” to keep itself from being spotted and stopped before it does any damage. This particular attack uses an old version of Oracle VirtualBox – a Sun xVM VirtualBox from 2009.
The virtual machine angle “takes defense evasion to a new level,” Mark Loman, director of engineering for threat mitigation at Sophos, told DCK.
The malware, Ragnar Locker, also exfiltrates the data before encrypting it and deletes the “shadow copies,” or system backups of files.