Symantec’s Threat Hunter Team found a VirtualBox VM on some compromised computers. The VM was delivered via a malicious installer pre-staged during the reconnaissance and lateral movement phases of the attacks. Researchers could not pinpoint whether the actual payload in the VM is the Mount Locker or the Conti ransomware ‘ the former was found on the endpoint, but a username and password combination used in these attacks was previously associated with previous Conti activity. Organizations can prevent unauthorized VMs from being used on endpoints by using software inventory.
Source: https://www.helpnetsecurity.com/2021/06/23/virtual-machines-ransomware/