The company said in a blog post that this was a new method of trying to evade detection; the ransomware in question is Ragnar Locker.
Mark Loman, director of engineering, Threat Mitigation at Sophos, said the firm's researchers had found the ransomware deployed inside an Oracle VirtualBox Windows XP virtual machine.
"In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server," Loman said.
"The primary contents of the MSI package were:
- "A working installation of an old Oracle VirtualBox hypervisor — actually, Sun xVM VirtualBox version 3.0.4 from August 5, 2009 (Oracle bought Sun Microsystems in 2010); and
- "A virtual disk image file (VDI) named micro.vdi — an image of a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82. The image includes the 49 kB Ragnar Locker ransomware executable.
He said in the last few months, ransomware had been observed evolving in several ways.
"But the Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box," Loman added. "They are deploying a well-known trusted hypervisor to hundreds of endpoints simultaneously, together with a pre-installed and pre-configured virtual disk image guaranteed to run their ransomware.
"Like a ghost able to interact with the material world, their virtual machine is tailored per endpoint, so it can encrypt the local disks and mapped network drives on the physical machine, from within the virtual plane and out of the detection realm of most endpoint protection products.
"The overhead involved to covertly run their 50 kilobyte ransomware seems like a bold, noisy move, but could pay off in some networks that are not properly protected against ransomware. This is the first time we have seen virtual machines used for ransomware.”