Content |
Viruses extortioners
Main article: Ransomware ransomware ransomware viruses (ransomware)
2022: All police data from Belgian city stolen by hackers after ransomware attack
In early December 2022, Ragnar Locker hackers published stolen data on their website that they thought belonged to the municipality of the Belgian city of Zweindrecht. But in fact, the published information belonged to the Zweindrecht police. Read more here.
2020: Detecting ransomware viruses on virtual machines
On May 21, 2020, antivirus developer Sophos announced the discovery of Ragnar Locker, a new type of ransomware virus that differs from the previously known method of masking from security software.
Ragnar Locker, in order to be invisible to antiviruses, deploys a virtual machine on the victim's computer and places itself in it. To create a visual machine, the Oracle VirtualBox hypervisor is used. The operating system is Windows XP. The operating system image and VirtualBox have a total volume of about 404 MB - all this is downloaded to the victim's PC only to hide the 49KB vrun.exe executable.
Attackers use GPO to launch the Microsoft installer (msiexec.exe), which quietly downloads from the Internet and installs an unsigned 122 MB MSI package from a remote server. This package includes the Oracle VirtualBox hypervisor (specifically the August 5, 2009 version of Sun xVM VirtualBox 3.0.4) and a micro.vdi disk image containing a stripped-down version of Windows XP SP3 called MicroXP v0.82. This image already includes a virus.
Since the virus starts inside a virtual machine, it is invisible to antivirus software installed on the host (since it does not scan virtual machines), Sophos explained.
Before you start distributing Ragnar Locker, the attackers behind the ransomware attack the target network and steal data, for which they then demand money using this application. So, in April 2020, they took possession of the confidential data of the network company Energias de Portugal, after which they demanded 1,580 bitcoins (about $11 million) from it, threatening to post this data in the public domain if payment is not received.[1]