Ragnar Locker is deploying Windows XP virtual machines to encrypt victim’s files while evading detecting from security software installed on the host. Ransomware is most known for its attack on energy giant Energias de Portugal (EDP), where the attackers asked for a $10.9 million ransom after claiming to have stolen 10 TB of unencrypted files. When done, the victim will find a custom ransom note on their computer explaining how their company was breached and their files were encrypted. The use of a virtual machine to encrypting a device’s files without being detected is an innovative approach.
Source: https://www.bleepingcomputer.com/news/security/ransomware-encrypts-from-virtual-machines-to-evade-antivirus/