That custom Windows XP virtual machine may not be safe, warns FBI

Windows XP Bliss
Windows XP Bliss (Image credit: Microsoft)

What you need to know

  • The FBI has issued a warning pertaining to the ransomware RagnarLocker and the custom Windows XP virtual machine it deploys within.
  • The FBI's warning is primarily for the purpose of educating individuals on one of the many ransomware threats currently making rounds on the web.

While it's no secret that Windows XP is a favorite of many legitimate, upstanding entities and still dominates operating system market share in one part of the world, not everyone who's a fan of the OS or its virtual machine variations has the best intentions in mind. Enter: RagnarLocker.

RagnarLocker is ransomware being circulated by cybercriminals for the purpose of encrypting files and holding them for ransom. The FBI notes that it doesn't encourage ransomware victims to pay up, since that runs the risk of encouraging cybercriminals. Not to mention, there's no guarantee the criminals will release their hold on your files even after you pay. As for the threat of RagnarLocker specifically, here's how the FBI describes it (via ZDNet):

RagnarLocker is identified by the extension ".RGNR_ [[ id ]] ," where [[ id ]] is a hash of the computer's NETBIOS name. The actors, identifying themselves as "RAGNAR_LOCKER," leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data. RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker's custom Windows XP virtual machine on a target's site.

The FBI notes that as of January 2022, a minimum of 52 entities in sectors such as financial services, information technology, critical manufacturing, energy, and government have had to deal with the consequences of RagnarLocker. The ransomware operates on a mass-encryption basis, actively choosing specific files not to encrypt in order to avoid attracting immediate attention while it locks things up.

Though RagnarLocker may be a particularly pesky foe, it's far from the only instance of ransom-focused malware on the loose. In the modern times we're going through right now, there's a ransomware black hole on the loose.

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.

1 Comment
  • The malware deploys a Windows XP virtual machine? And the virtual machine has access to the hosts' files?