When Ransomware Hides Inside Virtual Machines

If EDR is so great, why are these attacks still happening?

That is the question many business leaders are asking after researchers uncovered a new ransomware campaign where attackers are hiding malicious tools inside virtual machines to avoid endpoint detection.

This is not a lab experiment. This is happening right now.

And if your organization depends on traditional detection tools alone, this story deserves your attention.

So what exactly happened?

According to BleepingComputer, researchers at Sophos uncovered a campaign tied to the Payouts King ransomware operation where attackers used QEMU to launch hidden virtual machines inside compromised systems.

Why does that matter?

Because many endpoint security tools monitor what happens on the host operating system, but they often have limited visibility into what happens inside a virtual machine.

That creates a blind spot.

Sophos observed attackers launching hidden Alpine Linux virtual machines, creating covert SSH tunnels, harvesting domain credentials, and preparing systems for ransomware deployment. In some cases, the attackers gained initial access through exposed VPN infrastructure and exploited vulnerable internet-facing systems.

This was not smash-and-grab malware.

This was stealthy, patient, and designed to stay invisible.

Why are attackers getting past security tools?

Modern attackers are no longer trying to "beat" security tools.

They are simply working around them.

Instead of dropping ransomware directly onto a monitored endpoint, they are:

• Launching hidden virtual environments
• Using stolen credentials
• Leveraging built-in administrative tools
• Creating encrypted tunnels
• Blending into normal system activity
• Tampering with monitoring visibility

This is what security teams often call living off the land.

And it works.

According to the 2025 Verizon Data Breach Investigations Report, credential abuse accounted for 22 percent of breaches, and vulnerability exploitation accounted for 20 percent. Verizon also found that exploitation of vulnerabilities increased by 34 percent year over year.

Attackers are moving faster, staying quieter, and using legitimate tools against legitimate businesses.

Could this happen even if we already have EDR?

Yes.

That is exactly why this story matters.

EDR is designed around Detect and Respond.

That model assumes:

• Malicious activity will be seen
• Alerts will fire
• Analysts will investigate
• Teams will respond before damage occurs

But what happens when attackers execute outside your visibility?

What happens when they run ransomware infrastructure inside a hidden virtual machine?

What happens when credentials are stolen before alerts ever trigger?

Detection cannot stop what it cannot see.

And ransomware does not wait for your SOC to catch up.

What does this mean for businesses like yours?

The business impact goes far beyond encrypted files.

A ransomware event can trigger:

Financial damage
The 2025 IBM Cost of a Data Breach Report found the global average breach cost reached $4.44 million. U.S. organizations averaged $10.22 million.

Operational downtime
IBM also reported that nearly all breached organizations experienced operational disruption, with many taking more than 100 days to recover.

Reputation damage
Customers lose confidence when systems go offline or sensitive information is exposed.

Legal and compliance exposure
Regulated industries may face breach notification obligations, audits, fines, and litigation.

Productivity loss
Employees cannot work if endpoints, servers, or cloud resources are unavailable.

This is no longer just an IT issue.

This is a business continuity issue.

Why are traditional defenses struggling?

Because ransomware operations have evolved.

Attackers now use:

• EDR bypass techniques
• Security tool tampering
• Stolen privileged credentials
• Remote management tools
• Cloud synchronization abuse
• Fast encryption workflows

In Verizon's 2025 report, ransomware appeared in 44 percent of breaches.

That means almost half of confirmed breaches now involve ransomware.

Detection alone is fighting yesterday's battle.

What is changing in endpoint security?

Forward-looking organizations are shifting from Detect and Respond to Isolation and Containment.

Why?

Because prevention changes the game.

Instead of waiting to identify malicious behavior after execution, Isolation and Containment focuses on:

• Preventing unauthorized applications from running
• Restricting scripts and untrusted code
• Blocking attacker persistence mechanisms
• Limiting credential misuse
• Preventing lateral movement
• Reducing blast radius
• Preventing encryption before it starts

This is where solutions like AppGuard fit into the conversation.

AppGuard is a proven endpoint protection solution with a 10-year track record focused on prevention through Isolation and Containment.

That is not about adding more alerts.

That is about removing attacker freedom.

What Should Businesses Do Next?

If this attack tells us anything, it is this:

Assume detection will fail.

Business leaders should:

• Add prevention layers before execution occurs
• Reduce endpoint execution freedom
• Audit exposed VPNs, remote tools, and internet-facing assets
• Test failure scenarios where EDR is bypassed
• Review privileged and third-party access
• Segment critical systems and sensitive workloads
• Monitor for unauthorized virtualization tools
• Build and rehearse incident response plans
• Validate offline backups and recovery workflows
• Evaluate whether your security stack prevents execution or simply reports it

The organizations that recover fastest are usually the ones that planned for detection failure.

Business owners who want to better understand how prevention-first security can stop attacks before damage occurs should talk with CHIPS about how AppGuard can help prevent incidents like this through Isolation and Containment.

Like this article? Please share it with others!