{
	"id": "1cebb942-1a6b-4b01-ad5c-a43c725dcc93",
	"created_at": "2026-04-06T00:12:36.375722Z",
	"updated_at": "2026-04-10T03:24:30.18258Z",
	"deleted_at": null,
	"sha1_hash": "958de4c050dc215ef32909ce1a80fbce13e9770f",
	"title": "Ransomware deploys virtual machines to hide itself from antivirus software",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43831,
	"plain_text": "Ransomware deploys virtual machines to hide itself from antivirus\r\nsoftware\r\nBy Catalin Cimpanu\r\nPublished: 2020-05-22 · Archived: 2026-04-05 22:38:05 UTC\r\nThe operators of the RagnarLocker ransomware are installing the VirtualBox app and running virtual machines on\r\ncomputers they infect in order to run their ransomware in a \"safe\" environment, outside the reach of local antivirus\r\nsoftware.\r\nThis latest trick has been spotted and detailed today by UK cyber-security firm Sophos and shows the creativity\r\nand great lengths some ransomware gangs will go to avoid detection while attacking a victim.\r\nWhat's RagnarLocker?\r\nAvoiding detection is crucial because RagnarLocker is not your typical ransomware gang. They're a group that\r\ncarefully selects targets, avoiding home consumers, and goes after corporate networks and government\r\norganizations only.\r\nSophos says the group has targeted victims in the past by abusing internet-exposed RDP endpoints and has\r\ncompromised MSP (managed service provider) tools to breach companies and gain access to their internal\r\nnetworks.\r\nOn these networks, the RagnarLocker group deploys a version of their ransomware -- customized per each victim\r\n-- and then demands an astronomical decryption fee in the tune of tens and hundreds of thousands of US dollars.\r\nBecause each of these carefully planned intrusions represents a chance to earn large amounts of money, the\r\nRagnarLocker group has put a primer on stealth and has recently come up with a novel trick to avoid detection by\r\nantivirus software.\r\nThe virtual machine trick\r\nThe \"trick\" is actually pretty simple and clever when you think of it.\r\nInstead of running the ransomware directly on the computer they want to encrypt, the RagnarLocker gang\r\ndownloads and installs Oracle VirtualBox, a type of software that lets you run virtual machines.\r\nThe group then configures the virtual machine to give it full access to all local and shared drives, allowing the\r\nvirtual machine to interact with files stored outside its own storage.\r\nThe next step is to boot up the virtual machine, running a stripped-down version of the Windows XP SP3\r\noperating system, called MicroXP v0.82.\r\nhttps://www.zdnet.com/article/ransomware-deploys-virtual-machines-to-hide-itself-from-antivirus-software/\r\nPage 1 of 2\n\nThe final phase is to load the ransomware inside the virtual machine (VM) and run it. Because the ransomware\r\nruns inside the VM, the antivirus software won't be able to detect the ransomware's malicious process.\r\nFrom the antivirus software's point of view, files on the local system and shared drives will suddenly be replaced\r\nwith their encrypted versions, and all the file modifications appear to come from a legitimate process -- namely\r\nthe VirtualBox app.\r\nMark Loman, director of engineering and threat mitigation at Sophos told ZDNet today that this is the first time\r\nhe's seen a ransomware gang abuse virtual machines during an attack.\r\n\"In the last few months, we've seen ransomware evolve in several ways. But, the Ragnar Locker adversaries are\r\ntaking ransomware to a new level and thinking outside of the box,\" he added.\r\nAn overview of the entire RagnarLocker ransomware, including its VM trick, is available in Sophos' recent report.\r\nEditorial standards\r\nSource: https://www.zdnet.com/article/ransomware-deploys-virtual-machines-to-hide-itself-from-antivirus-software/\r\nhttps://www.zdnet.com/article/ransomware-deploys-virtual-machines-to-hide-itself-from-antivirus-software/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/ransomware-deploys-virtual-machines-to-hide-itself-from-antivirus-software/"
	],
	"report_names": [
		"ransomware-deploys-virtual-machines-to-hide-itself-from-antivirus-software"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434356,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/958de4c050dc215ef32909ce1a80fbce13e9770f.pdf",
		"text": "https://archive.orkl.eu/958de4c050dc215ef32909ce1a80fbce13e9770f.txt",
		"img": "https://archive.orkl.eu/958de4c050dc215ef32909ce1a80fbce13e9770f.jpg"
	}
}