A new ransomware with a latest evading technique is discovered by researchers.
In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine. The attack payload was a 122 MB installer with a 282 MB virtual image inside all to conceal a 49 kB ransomware executable.
Ragnar ransomware is known for stealing information and data of targeted system before launching ransomware attack. The ransomware was found targeting the windows remote desktop services and has attempted to gain the access of administrator.
They have used native Windows administrative tools such as Powershell and Windows Group Policy Objects (GPOs) to move laterally across the network to Windows clients and servers. The ransomware deploys an executable batch file as well as some support files which run the executable file to install VirtualBox applications.
The script then goes on to stop the Windows Shell Hardware Detection service, to disable the Windows AutoPlay notification functionality and the script executes a command to delete the targeted PC’s volume shadow copies, so victims cannot restore older unencrypted versions of their files.
The ransomware and its detection evading technique is new and powerful which makes the ransomware lethal. The ransomware and its malicious activities are hard to detect and hence it can cause grave threats to the targeted cyber environment.
Use NPAV and join us on a mission to secure the cyber world.