Posey's Tips & Tricks

How To Safely Use a Hyper-V VM for Ransomware Testing

Ransomware is a lot more sophisticated now, attacking data on network drives and in the cloud. Before physically interacting with ransomware, take these precautions to stop anything outside the VM from getting infected.

• By Brien Posey
• 02/09/2021

One of my favorite things about Microsoft Hyper-V has always been the freedom that Hyper-V virtual machines (VMs) give you to be reckless. By reckless, I don't mean doing things in a production environment that clearly violate long-established best practices. What I mean is you can use a VM to try out things that you would never, ever attempt on your own PC.

As a freelance technology author, I spend the bulk of my working hours doing research. For the most part, I try to stick to using Web sites that I know to be reputable. For instance, I visit Microsoft's documentation pages about a million times a day. Every once in a while, though, my research will lead me to a somewhat questionable site that claims to have information about whatever it is I'm researching. If I'm not familiar with the site or if it seems a little sketchy, I will usually fire up a Hyper-V VM and visit the site from a browser running within that machine. That way, I won't put my PC at risk if the site happens to be malicious.

I have also used Hyper-V VMs for ransomware testing. Over the years, I have written countless articles about ransomware infections and countermeasures that can be used to defend against ransomware. Once in a while, I actually need to subject myself to a ransomware infection in order to validate a technique I'm writing about. Needless to say, I'm not about to intentionally unleash a ransomware infection on any of my physical machines.

In the past, Hyper-V has worked really well for ransomware testing. It gives me a way to work with ransomware in a controlled environment without putting any of my production resources at risk. More recently, though, I have begun to question whether it is still safe to test ransomware inside a Hyper-V VM.

Before I explain the reason for my concern, let me just say that I am in no way worried about a hypervisor escape attack. For those not familiar with the term, an escape attack is an attack in which software manages to break out of a VM and take over the parent operating system. At one time, I thought it might be possible to perform an escape attack against Hyper-V by exploiting the way that memory allocation works, but to the best of my knowledge, nobody has successfully performed such an attack.

The reason why I am beginning to question whether it is still safe to use Hyper-V VMs for ransomware testing has to do with the evolution of ransomware itself. Early on, ransomware was relatively unsophisticated. When a PC became infected by ransomware, the ransomware would encrypt any data it found on the PC's hard disk and display the ransom demand once the encryption process was complete. This type of ransomware was destructive, but it could only damage data that was stored directly on the PC.

Over time, ransomware became far more sophisticated. It has become quite common for ransomware to attack data on network drives, and there are also ransomware infections that will attempt to encrypt data residing within the Microsoft 365 cloud.

With that in mind, let's go back to my original question: Is it still safe to use a Hyper-V VM as an environment for playing around with ransomware?

In my opinion, ransomware can still be safely handled within a Hyper-V VM. The caveat is that you have to be a lot more careful than you used to be. Depending on the type of ransomware infection, the ransomware may use the VM's network connection to look for network resources it can attack.

That being the case, there are a couple of things you need to do if you are going to experiment with ransomware within the confines of a VM. The best thing to do is completely disconnect the VM from the network. Unfortunately, this may not always be an option; ransomware generally requires Internet connectivity in order to complete the attack sequence.

If you can't completely remove all network connectivity from the VM, the next-best option is to confine the VM to an isolated segment so that a ransomware attack will be unable to tell that your production network even exists.

Even then, however, I strongly recommend taking every possible precaution in case the ransomware infection is somehow able to see the rest of your network. For example, make sure that there are no open file shares on your network that can be accessed without authentication. Likewise, you should be logged into the VM using a local account that does not have permission to access anything outside of the VM.

Experimenting with ransomware can be risky in even the best circumstances. If your only goal is to see what ransomware actually does, my advice is to check out a few YouTube videos on the subject. That way, you can get a first-hand view of how ransomware infections work, but without putting anything at risk. If you do need to physically interact with ransomware, make sure to take every possible precaution to prevent anything outside the VM from becoming infected.