iGuRu
Now Reading
The new RegretLocker ransomware targets Windows virtual machines
iGuRu

The new RegretLocker ransomware targets Windows virtual machines

A new ransomware called RegretLocker uses a variety of advanced features that allow it to encrypt virtual hard drives and close open files to encrypt them.

Screenshot 2020 10 22 LockBit ransomware moves quietly on the network strikes fast2 - The new ransomware RegretLocker targets Windows virtual machines

RegretLocker was discovered in October 2020 and is a simple ransomware in terms of appearance, as it does not contain a bullying message for ransom, and instead of a Tor site it uses an email for communication.

regretlocker ransom note - The new ransomware RegretLocker targets Windows virtual machines

When encrypting files, RegretLocker adds the .mouse extension with harmless sounds to encrypted filenames.

regretlocker encrypted files - The new ransomware RegretLocker targets Windows virtual machines

But what makes it particularly dangerous is the advanced features it has that we usually do not see in ransomware infections. See how it works:

When you create a Windows Hyper-V virtual machine, a virtual hard disk is created and saved to a VHD or VHDX file.

These virtual hard disk files contain a raw disk image, including the partition table, and like regular drives, can range in size from a few gigabytes to terabytes.

When an ransomware encrypts files on a computer, it is ineffective when encrypting a large file as it slows down the encryption process.

In a sample of the RegretLocker ransomware discovered by MalwareHunterTeam and analyzed by Advanced Intel Vitali Kremez, RegretLocker uses an interesting technique of placing a virtual disk file so that each of its files can be encrypted separately.

To do this, RegretLocker uses the Windows Virtual Storage API functions OpenVirtualDisk, AttachVirtualDisk and GetVirtualDiskPhysicalPath to place virtual disks. It specifically searches for VHD and places it when it is detected.

Once the virtual drive is installed as a physical disk in Windows, the ransomware can encrypt each one individually, which increases the encryption speed.

In addition to using the Virtual Storage API, RegretLocker also uses the Windows Restart Manager API to terminate Windows processes or services that keep a file open during encryption.

Windows Restart Manager is only used by some ransomware such as ta REvil (Sodinokibi), Ryuk, Conti, ThunderX / Ako, Medusa Locker, SamSam and LockerGoga.

RegretLocker is not yet very active, but it is a new family to watch.

Read them Technology News from all over the world, with the validity of iGuRu.gr

Follow us on Google News

View Comments (0)

Leave a Reply

Your email address Will not be published.

 

iGuRu.gr © 2012 - 2021 Keep it Simple Stupid Custom Theme

Scroll To Top