BEWARE: RANSOMWARE GANGS ARE OPERATING THROUGH VIRTUAL MACHINES
Source – https://www.analyticsinsight.net/
The implementation of Artificial Intelligence, into cybersecurity, may become one of the popular AI trends in 2021 to have a proper defense against cyberattacks from malicious hackers and ransomware gangs. But, these ransomware gangs are improving their techniques to reach a whole new level of cyberattacks from behind the curtains. The ransomware gangs are utilizing virtual machines to hide these vicious cyberattacks. It is becoming impossible for victims to detect and trace the gang or hackers within a short period of time. It is one innovative trick to allow cyberattacks to run their payload inside these virtual machines after bypassing the advanced cybersecurity software.
The process of using virtual machines to achieve cyberattacks is being used by several ransomware gangs across the world. The tangible benefits of these virtual machines are becoming popular to go for blackmailing or phishing despite the strong cybersecurity of reputed companies. The ransomware gangs having a small foothold on an infected host can download or install the virtual machine software easily. It will share the host computer’s storage space with a virtual machine for proceeding to encrypt confidential files from the virtual machine. The host’s antivirus software cannot reach these virtual machines to detect the execution of current ransomware. After finishing the encryption process, the virtual machine is discarded seamlessly. This is another popular benefit for ransomware gangs because the virtual machines discard an enormous volume of vital forensic evidence to prevent any further investigation.
An open-source virtual machine software, known as VirtualBox is popular among ransomware gangs in recent times. The investigators are failing to recognize the ransomware that is discovered running in a virtual machine. There are incidents where the investigators found out that a gang tried to run Conti and MountLocker ransomware on a host computer running Windows 7. Some ransomware gangs used RagnarLocker in Windows XP. Multiple cyber-criminals use a pattern of naming multiple files such as aa51978f.msi or s3c.msi that usually end with .msi. They also create a file name like runner.exe and utilized the go-ps library for process enumeration.
This new technique is showing that cyber-criminals or ransomware gangs want to stay one step ahead of getting detected by high-end cybersecurity. They are using dual-use tools to stage cyberattacks on multiple targeted networks. These kinds of cyberattacks are an imminent threat to all types of businesses. Thus, it is recommended to follow the precautionary measures to avoid consequences— ensure not to view intrusion detection as an option, use security tools for monitoring all virtual environments and integrate hypervisor monitoring into the whole system.