How Ragnar Locker Ransomware Evades Threat Detection


Ransomware gangs have shown no sign of slowing down as more sophisticated and complex attacks are developed to evade traditional security solutions such as antivirus, firewalls, and other threat detection tools.

We have observed a new method of attack carried out by the Ragnar Locker ransomware gang. Rather than delivering malware directly to the computer, malicious cybercriminals are exploiting a virtual machine in order to hide malware and encrypt the victim’s system.

How It Happens:

Users can easily receive a payload through a macro that is hidden in an office document or by manually downloading a file from the internet. From there, the payload instantly launches a virtual machine in the user’s environment behind the firewall.

Typically, a cybercriminal uses a remote access tool such as GoToAssist or ConnectWise Control (formerly ScreenConnect) which allows them to connect to the virtual machine. Because they are inside of the user’s perimeter, they can encrypt and steal their data.

The Ragnar gang is able to avoid detection by living-off-the-land using legitimate software tools such as PowerShell.

How To Protect Yourself Using ThreatLocker:

If you are using ThreatLocker and don’t have a VirtualBox running in your environment, there is no need to have a policy in place. Check your policies and make sure you don’t have one enabled that you may have needed in the past.

Ultimately, if you don’t have a VirtualBox policy, an attacker isn’t going to successfully deliver a payload because if it can’t run, no damage can occur.

While this attack only appears to be limited to a VirtualBox at this time, a cybercriminal can create a similar attack using Hyper-V or VMware.

If you do not use VMware, don’t allow it to run. If you need it for certain users, only allow it to run on those machines. As for any software, do not enforce a VMware policy where it is not needed.

Hyper-V is a virtualization software that is pre-installed with the Windows 10 Operating system. Since it is already installed, you have an existing policy that allows the Windows Core files.

If you do not use Hyper-V or only use it on certain machines, we recommend you navigate to our portal and add our suggested policies to block Hyper-V from running on a specific group of computers.

However, if you do need Hyper-V, we recommend you restrict your users from automatically creating Hyper-V images which would likely happen through PowerShell. With that in mind, there are a few more policies we recommend you have in place.

Microsoft Word, Google Chrome, and Internet Explorer should be Ringfenced in order to protect your applications from being exploited as a result of a cybercriminal living-off-the-land.

For example, if someone sends a word document with a macro and tries to call PowerShell or command prompt in an attempt to download and exploit a virtual machine, they will be unsuccessful.

Our Microsoft Office policy permits Microsoft to run without being able to call PowerShell, Cscript, or any other scripting language. With these policies in place, you stop the automation of virtual machines being created from an office document, web browser, Zoom, or any other front-end application.

It is critical that you implement the PowerShell policy by default in order to prevent it from accessing your files or the internet. If you restrict PowerShell from calling out to the internet, it cannot download a virtual machine in the first place.

Additional Tips

If you are not a ThreatLocker user, here are a few additional tips we recommend to harden your environment and protect against these types of attacks.

When a cybercriminal runs a virtual machine in your environment, they do not have automatic access to your data. Once inside your firewall, they will use different tools in an attempt to steal your data which brings them one step closer to carrying out a massive data breach.

Unpatched Servers

If your servers are not patched and up-to-date, an attacker can use Eternal Blue or any vulnerability to create the main admin account on your domain. Once a criminal becomes the main admin, they can access all of your servers, launch ransomware, and engage in other malicious activities. If your servers haven’t been patched, now is a good time to do so.


Once an attacker is in your network, they can carry out a brute-force attack in an attempt to steal your domain admin passwords. Always use a secure domain-admin password to protect your accounts.

Next, use automatic lockout policies for your domain-admin accounts so that if you are under attack, the cybercriminal will be locked out after 5+ invalid lockout attempts.

Also, consider using lock policies. This gives you an extra layer of protection if an attacker accesses your account, meaning they will have to unlock it to go one step further.

Last but not least, use dual-factor authentication on your servers.

*If you are using ThreatLocker 5.25 or above, we have a feature for remote presence included with Storage Control. This gives you the ability to set a storage policy that will not allow machines running ThreatLocker to access specific file shares. That way, if they were to access your passwords or file shares, they would not be able to access those specified file shares using a rogue machine.


Enable personal firewalls on all devices. With this protection in place, an attacker cannot send payloads to your desktops, laptops, or servers. In most cases, there is no reason not to enable your Windows firewall on your HyperV, VMWare, or physical servers.

While domain control can be more complicated because you have to open certain ports, you should always harden your physical boxes and backup servers by enabling a firewall.

Enforcing security hygiene will always pay off when a cybercriminal enters your network. For more information on Ragnar Locker ransomware, watch this quick video.

Recent Posts