Ransomware gangs operate through virtual machines



The implementation of artificial intelligence in cybersecurity could become one of the popular AI trends in 2021 to have adequate defense against cyber attacks from malicious hackers and ransomware gangs. But these ransomware gangs are improving their techniques to reach a whole new level of behind-the-scenes cyberattacks. Ransomware gangs use virtual machines to hide these vicious cyber attacks. It becomes impossible for the victims to detect and trace the gang or the hackers in a short period of time. It is an innovative trick to allow cyber attacks to execute their payload inside these virtual machines after bypassing advanced cybersecurity software.

The process of using virtual machines to carry out cyber attacks is used by several ransomware gangs around the world. The tangible benefits of these virtual machines are becoming popular for blackmailing or phishing despite the strong cybersecurity of reputable companies. Ransomware gangs with a small hold over an infected host can easily download or install virtual machine software. It will share the storage space of the host computer with a virtual machine to encrypt the confidential files of the virtual machine. The host’s antivirus software cannot reach these virtual machines to detect the execution of the current ransomware. After the encryption process is complete, the virtual machine is transparently deleted. This is another popular benefit for ransomware gangs, as virtual machines reject a huge volume of vital forensic evidence to prevent further investigation.

Open source virtual machine software, known as VirtualBox, has been popular among ransomware gangs lately. Investigators fail to recognize ransomware discovered running in a virtual machine. There have been incidents where investigators discovered that a gang had tried to run Conti and MountLocker ransomware on a host computer running Windows 7. Some ransomware gangs were using RagnarLocker on Windows XP. Several cybercriminals use a naming pattern of multiple files such as aa51978f.msi or s3c.msi which usually end in .msi. They also create a filename like runner.exe and use the go-ps library for process enumeration.

This new technique shows that cybercriminals or ransomware gangs want to stay ahead of the curve to get detected by high-end cybersecurity. They use dual-purpose tools to organize cyber attacks on multiple targeted networks. These types of cyber attacks pose an imminent threat to all types of businesses. Thus, it is recommended to follow precautionary measures to avoid consequences: make sure not to consider intrusion detection as an option, use security tools to monitor all virtual environments and integrate monitoring of the hypervisor throughout the system.

Share this article


About the Author

More info about the author


Leave A Reply

Your email address will not be published.