[Security Weekly] Ragnar Locker Ransomware Attacks From Virtual Machines

5th Week of May 2020


1. Ragnar Locker ransomware attacks from virtual machines to avoid detection

Security researchers at Sophos recently discovered a new ransomware attack mechanism run by the Ragnar Locker ransomware. As never seen before, the attackers hide the ransomware in a virtual machine (VM)1 to avoid being detected by firewalls.

Ragnar Locker was found to hide inside an Oracle VM VirtualBox that runs a Windows XP virtual machine. The payload included a Windows XP virtual disk with hidden executables.

Since the ransomware application is executed inside the virtual machine, it’s activities can easily go undetected by most traditional firewalls on the physical host computer.

Ragnar Locker is known for targeting cloud service providers to get into corporate IT networks. Recently, it has attacked the Portuguese energy giant Energias de Portugal (EDP) and demanded a ransom of $11 million.

Sources: InfosecurityBleeping Computer

1 A virtual machine acts the same as a physical computer, with the functionality needed to execute entire operating systems. Multiple isolated virtual machines can exist and run on the same physical computer.


2. Personal data of 2.3 million Indonesian citizens leaked on hacker forum

On May 20, a hacker posted the personal data of 2.3 million Indonesian citizens on a hacker forum. The hacker claimed to have exfiltrated the data from Indonesia’s General Elections Commission (KPU), and promised to release the full dataset containing information of more than 200 million citizens at a later time.

All the released data were in PDF format. According to investigators at Under the Breach, the data were well organized and appeared to be compiled by Indonesian municipalities during the 2014 presidential election. The dataset included personal information such as names, addresses, places and dates of birth, as well as single identity numbers (NIK). As the hacker insists, this information could be used to open new phone numbers, which could be used for phishing campaigns.

KPU released a statement on Twitter claiming that there was no cyberattack incident, and that the data were originally made available for anyone during the 2014 election. Under the Breach responded by arguing that if such sensitive information was made available on purpose, it signals the “pure negligence” of data security by KPU.

KPU followed up by stating that they are investigating the case, but persisted in denying any cyberattack.

Sources: ReutersBleeping Computer


3. International leaders call for actions to protect hospitals from cyberattacks

Cyberattacks on hospitals and medical research institutions have surged significantly during the COVID-19 pandemic. In the United States alone, there have been to this date a total of 127 cyberattack cases on the healthcare system since February, twice as much compared to the same period last year (HHS).

On May 26 in Geneva, the Red Cross and CyberPeace Institute issued a joint statement urging all governments to take “immediate and decisive action” to protect hospitals and medical research facilities from cyberattacks. They also stressed that any state-sponsored cyberattack on the healthcare system is intolerable even during times of war, and demanded all state-sponsored threat actors and terrorist groups to stop immediately.

So far, the plea has been signed by 50 signatories from across the world including former heads of state of Brazil, Soviet Union, Liberia, Chile, Switzerland, Uruguay, Columbia, Denmark, Slovenia, Poland, Mexico, former foreign ministers of Algeria, Russia, Argentina, Bulgaria, Nicaragua, Indonesia, Georgia, former US Secretary of State Madeleine Albright, and former UN Secretary-General Ban Ki-moon. The president of Microsoft and the CEO of Kaspersky also joined the group.

Healthcare facilities are attractive targets for cybercriminals as they contain a lot of sensitive data including payment information, social security information, and insurance information. However, compared to large corporations, healthcare facilities have relatively weak security measures to protect them from such attacks. This is why it is necessary for governments to set appropriate laws and regulations, as well as to provide subsidies for healthcare security.

{Chosen by many healthcare providers in Europe, Penta Security’s MyDiamo provides a powerful and user-friendly database security solution for open-source databases. Learn more at MyDiamo.}

Sources: ReutersCyberPeace InstituteInfosecurity


4. More than 1000 corporate systems infected by cryptocurrency mining malware

On May 26, researchers at cloud security firm Red Canary revealed that they discovered more than 1000 corporate systems that are infected with a cryptocurrency mining malware1.

Red Canary did not disclose the names of the companies affected, but stated that the list included many large corporations. The attacker appeared to be Blue Mockingbird, a threat group active since December 2019.

Blue Mockingbird first attacked the web servers by exploiting a vulnerability in the ASP.NET2 applications. The vulnerability allowed the attackers to upload a web shell3 into a server to gain administrative access and modify server settings. They then installed the XMRRig application onto the infected computers, a cryptocurrency mining application for the Monero (XMR) currency.

Source: Cointelegraph

1 Cryptocurrency mining is the process of verifying crypto transactions and adding them to the blockchain. The miner would then get rewarded in cryptocurrency after adding each block. This process requires high computational power. A cryptocurrency mining malware infects a computer to take over its computational power and resources and use them for cryptocurrency mining.

2 .NET is a free and open-source developer platform created by Microsoft for building applications. ASP.NET is an extension of .NET, which is designed specifically for building web applications.

3 A web shell is a script that can be uploaded to a web server to enable remote administrative access to the server.


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+ 

Smart Car Security: AutoCrypt