Ransomware deploys virtual machines to hide itself from antivirus software

The operators of the RagnarLocker ransomware are installing the VirtualBox app and running virtual machines on computers they infect in order to run their ransomware in a “safe” environment, outside the reach of local antivirus software.

Background: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

This latest trick has been spotted and detailed today by UK cyber-security firm Sophos and shows the creativity and great lengths some ransomware gangs will go to avoid detection while attacking a victim.


Avoiding detection is crucial because RagnarLocker is not your typical ransomware gang. They’re a group that carefully selects targets, avoiding home consumers, and goes after corporate networks and government organizations only.

Sophos says the group has targeted victims in the past by abusing internet-exposed RDP endpoints and has compromised MSP (managed service provider) tools to breach companies and gain access to their internal networks.

On these networks, the RagnarLocker group deploys a version of their ransomware — customized per each victim — and then demands an astronomical decryption fee in the tune of tens and hundreds of thousands of US dollars.

Because each of these carefully planned intrusions represents a chance to earn large amounts of money, the RagnarLocker group has put a primer on stealth and has recently come up with a novel trick to avoid detection by antivirus software.


The “trick” is actually pretty simple and clever when you think of it.

Instead of running the ransomware directly on the computer they want to encrypt, the RagnarLocker gang downloads and installs Oracle VirtualBox, a type of software that lets you run virtual machines.

The group then configures the virtual machine to give it full access to all local and shared drives, allowing the virtual machine to interact with files stored outside its own storage.

The next step is to boot up the virtual machine, running a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82.

The final phase is to load the ransomware inside the virtual machine (VM) and run it. Because the ransomware runs inside the VM, the antivirus software won’t be able to detect the ransomware’s malicious process.

From the antivirus software’s point of view, files on the local system and shared drives will suddenly be replaced with their encrypted versions, and all the file modifications appear to come from a legitimate process — namely the VirtualBox app.

Mark Loman, director of engineering and threat mitigation at Sophos told ZDNet today that this is the first time he’s seen a ransomware gang abuse virtual machines during an attack.

“In the last few months, we’ve seen ransomware evolve in several ways. But, the Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box,” he added.

An overview of the entire RagnarLocker ransomware, including its VM trick, is available in Sophos’ recent report here:


Source: https://www.zdnet.com/article/ransomware-deploys-virtual-machines-to-hide-itself-from-antivirus-software/

By: By Catalin Cimpanu for Zero Day

Craig Stilwell Named VP of Worldwide Partner Strategy & Sales

As we look forward to new opportunities in 2017 and delivering a Citrix Summit that empowers our partners to achieve great success, I am excited to share that Citrix has appointed Craig Stilwell as Vice President of Worldwide Partner Strategy & Sales.

Craig Stilwell- Citrix VP of Partner Strategy

Many in the partner community already know Craig, who has been with Citrix for more than 17 years and understands our sales and channel strategy very well. We are thrilled to have him move into this very important position to lead our partner strategy and work with you all. Craig assumes the position previously held by Kimberly Martin, who is no longer with Citrix.

As the new worldwide channel leader, Craig will draw from his extensive sales and channel leadership experience to invigorate our commitment to our partners and their long-term success and profitability. Specifically, in the near-term Craig will focus on three priorities:

  • Drawing on his experience to lead a partner team aimed at maintaining our leadership in the enterprise market and increasing our presence in the mid-market.
  • Transitioning to the cloud and the major role the channel has to play in the move from on premise to the cloud.
  • Reducing the complexity of our channel programs and making it easier for partners to do business with Citrix.

Craig has more than 23 years of technology experience and, having spent the majority of his career at Citrix, knows our business extremely well. Most recently he served as Area Vice President of our U.S. Commercial business responsible for all sales and products in the U.S. Commercial segment. Previously, Craig served in several roles of increasing responsibility at Citrix, most notably as Vice President of Americas Channel Sales & Field Operations where he was not only responsible for Americas partners, but also marketing, renewal and inside sales, sales operations and field readiness.

Before joining Citrix, he was on the management team of an IT consulting firm based in South Florida, and served as a senior manager in the consumer products industry practice at Accenture.

Craig’s experience heading up our U.S. Commercial business and the Americas channel sales and field ops organization will be invaluable. We look forward to sharing more about our vision for 2017 with our partners next month at Citrix Summit in Anaheim! In the meantime, Craig will be reaching out to partners to say hello and always welcomes partners to contact him via LinkedIn.

By: Carlos Sartorius (Citrix Profile)

Source: https://www.citrix.com/blogs/2016/12/06/craig-stilwell-named-vice-president-of-worldwide-partner-strategy-and-sales/

Top 5 Management Mistakes going to VDI

Top 5 Mistakes Made by IT Management when Moving to Virtual Desktops

Don’t make these critical errors

Many organization have moved to VDI successfully, while others have struggled, with their project coming to a screeching halt. What makes some organizations successful? What do they do? More importantly, what don’t they do? A successful implementation can result in some of the following benefits:

  • Mobility, secure access to corporate applications and data from any device and any location
  • Bring Your Own Device (BYOD)
  • Decreased operational costs
  • Increased IT agility for growth or downsizing
  • Enhanced security and compliance, removing risk of data residing on lost, stolen, or compromised devices
  • Streamlined operations, getting organizations out of the business of procuring, configuring and managing end devices
  • Extended desktop refresh cycle

However, an unsuccessful project results in headaches, heartaches, dissatisfied end users, shelf ware, and a vast amount of pain for the IT department. We will review what it takes to be successful, and what to avoid. There are already a number of good articles out there on the technical aspects of hardware, storage, and sizing, so this article focuses more on the project and operational aspects. Also note that this applies to both virtualized desktop and application environments including Citrix XenApp/XenDesktop, VMware Horizon, and Microsoft RDSH.

Mistake #1: Not assessing business drivers and end user requirements

While desktop and application virtualization solutions involve some great and interesting technologies, there must be sounds business reasons for going this route. What problems are we solving? What is the benefit to the business? How is life going to be better upon successful implementation? Assuming that these have been identified, the focus must then turn to the needs of business groups and end users. Primary focus must be placed on the applications, including dependent applications, components, and plugins required for each user group to function. Many organizations use this exercise as an opportunity for rationalization, consolidating redundant applications and/or versions. At the end of the migration to a virtual environment, the user is going to need to have a positive experience, with access to needed resources in a functional and responsive manner.

Mistake #2: Lack of proactive performance monitoring of the end user experience

You must proactively monitor the systems and metrics that indicate a positive or negative experience. A common issue in virtual environments is session latency, and this can happen for a number of reasons including latency in network connection or other resource bottlenecks. Those managing the environment should be made aware of any brewing issues prior to any end user picking up the phone to log a ticket. Think of it this way: if you aren’t proactively monitoring, then you are relying on the end users as your method of notification. And many users don’t take the time to log a call until the third, fourth, or fifth instance of an issue. By that time, they are likely to be extremely frustrated with the virtual environment and are likely to be complaining to their boss, peers, or anyone else who will listen. When the noise starts reaching influencers and decision-makers, it can get painful and possibly political.

Stay on top of your environment, and get in front of issues. Tools like HDX Insights from Citrix and vCenter Operations Manager for Horizon View are a must for each respective environment.

Mistake #3: Letting end user dissatisfaction persist

This one is closely related to the previous mistake listed, and follows the same principle of being proactive. You not only want to identify the issues, but resolve them within a timely manner. We have seen a number of organizations with a sizeable log of help desk tickets around end user performance, and many times little has been done to address the issues. Once an issue is identified, determine the solution and implementation plan within a timely manner. While some users are more vocal than others and may be prone to getting overly emotional, it is best to filter out the emotion and resolve performance complaints that have validity. Again, a barrage of complaints can halt the deployment, requiring not only the resolution of the issue, but many rounds of damage control with the business.

Mistake #4: Going it alone

Many IT departments take pride in their ability to execute and meet the demands of the business. However, there is no shame in engaging a professional services organization for planning, design, implementation, and ongoing maintenance. Consider engaging a trusted solution provider or the vendor, as they have numerous experiences with other clients that can help you be successful and avoid potential pitfalls. You think their rates are high? Nothing compared to the cost and pain of a bad implementation and halted project, let alone the cost of unused licenses sitting on the shelf. If there is a solid business reason for the initiative, then the investment in professional services is justified. This includes all necessary support contracts and training, which should all be incorporated at the start of the budgeting process.

Mistake #5: Managing your virtual desktops and applications the same as your legacy desktop environment

The game has changed, and you are no longer running independent desktops in a traditional and distributed manner. Your desktop and application resources are now consolidated within a centralized and virtualized environment. Your virtualized desktops and applications reside within a complex and integrated system that when running properly can provide you with numerous IT and business benefits. However, if not properly managed, can result in issues that affect multiple users. In a legacy PC/desktop environment, most issues reside on the actual end user device itself, likely within the hardware, OS, application, or user profile. For example, a user may have some corruption or an OS issue that is confined to their desktop, and the troubleshooting effort is typically confined to their desktop and profile. Taking this same troubleshooting approach as issues arise in a virtualized environment is not applicable, as problems is likely to affect multiple users. In a virtualized environment, a more holistic approach is needed to determine the root cause of such issues. Is there an issue within the OS image? Application package? Resource allocation? Storage configuration? Proactive monitoring is essential to provide you with insight into such potential issues. While there may still be cases of “one off” issues specific to one user or instance, most are indicative of larger scale issues.

In summary, virtual desktops and applications have been viable solutions for years, and are becoming more prevalent in environments across all types of industries and organizations. VMware is making significant investments in this space with their Horizon View solution, and Citrix is refocusing efforts toward XenApp. And don’t forget about Microsoft, as many organizations are achieving their goals with RDSH. We are also seeing increased awareness and adoption in Desktops-as-a-Service (DaaS), with both Amazon and VMware making significant pushes here. Most industry analysts agree that these solutions will continue to see growth and adoption, and for good reason. Whether you are looking at adopting or expanding your virtual desktop or application environment, make sure to take the proper approach, avoiding these issues as described within, and you will reap the benefits of a successful implementation.