Malware builders increasingly use virtual machines to hide ransomware

Security researchers are increasingly seeing rogue hackers hide their malware by using virtual machines. This way, the rogue software is not detected by malware scanners.

The first time this trick was discovered was in May 2020. Researchers saw that the Ragnar Locker group was hiding their ransomware in this way. Later, this same trick was also discovered in the Maze ransomware subgroup and recently Conti and MountLocker have been found to work in the same way.

Immediately after the infection, a virtual machine is created in which the rest of the malware is installed. From the virtual machine, all other software on the compromised host is encrypted. After encryption, the VM is deleted. Since the average malware scanner cannot scan the contents of VM images, the malware goes undetected.

Symantec has since informed several companies that detection rules for installing virtual machines must be added today.

A ransomware report from Maze

Sources: Symantec, Sophos

Source: Hardware Info Compleet by

*The article has been translated based on the content of Hardware Info Compleet by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!