Most ransomware impacts customers via a shotgun approach to penetration. In other words, it casts out a wide net, and whomever it happens to catch in that net it attempts to infiltrate and then compromise their vulnerabilities to implement its particular flavor of ransomware. The intent? Encrypting the customer’s environment and holding the encryption keys hostage until the “ransom” is paid by the company to release those keys.
This model says that no one is safe, and that we all need to implement and continuously validate our security controls to protect our users, and by extension, our assets from these opportunistic bad actors. The only way to do that is with a modern defense in depth approach, similar to what we help our customers achieve and maintain.
You might be asking at this point, what does this all have to do with RagnarLocker? Well, they are a ransomware gang that is different than the others in this space. Rather than throwing out a wide net and hoping to find/nab an unwitting end-user into their trap, RagnarLocker takes a very focused and carefully planned and targeted attack on a particular victim. This approach allows RagnarLocker to build specific ransomware that is customized to their target’s environment, and therefore, is much more effective than the one-size-fits-all wide-net approach of the masses of ransomware in the wild.
So why are we talking about RagnarLocker today? They have upped the bar for ransomware once again…their newest exploit includes downloading and installing Oracle VirtualBox to a target system and then running their ransomware in a virtual machine in VirtualBox. This prevents standard antivirus solutions form identifying and quarantining their attack tools. And this approach also makes their activities look like normal system activities, meaning behavioral tools that aren’t tuned to catch them will miss them entirely.
In this escalating cyberwar, one thing is for certain – we have determined adversaries who will use literally anything to exploit and profit from your information. With a vastly expanded attack surface, and attack methods constantly changing; organizations need to be able to, on an ongoing basis, inspect and test their environment to be aware of any potential risks.
If you would like a complimentary Security Health Check, reach out to us today so we can help you achieve – and maintain – Digital Resilience.