• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
iGuRu

iGuRu

Real-time Technology News. Opinions & Tweaks

  • / news
  • / infosec
  • / tools
  • / tweaks
  • / dummies
  • / opinions
  • / support
home / News / The new RegretLocker ransomware targets Windows virtual machines

The new RegretLocker ransomware targets Windows virtual machines

04/11/2020 09:17 by Dimitris

A new ransomware called RegretLocker uses a variety of advanced features that allow it to encrypt virtual hard drives and close open files to encrypt them.

Screenshot 2020 10 22 LockBit ransomware moves quietly on the network strikes fast2 - The new ransomware RegretLocker targets Windows virtual machines

RegretLocker was discovered in October 2020 and is a simple ransomware in terms of appearance, as it does not contain a bullying message for ransom, and instead of a Tor site it uses an email for communication.

regretlocker ransom note - The new ransomware RegretLocker targets Windows virtual machines

When encrypting files, RegretLocker adds the .mouse extension with harmless sounds to encrypted filenames.

regretlocker encrypted files - The new ransomware RegretLocker targets Windows virtual machines

But what makes it particularly dangerous is the advanced features it has that we usually do not see in ransomware infections. See how it works:

When you create a Windows Hyper-V virtual machine, a virtual hard disk is created and saved to a VHD or VHDX file.

These virtual hard disk files contain a raw disk image, including the partition table, and like regular drives, can range in size from a few gigabytes to terabytes.

When an ransomware encrypts files on a computer, it is ineffective when encrypting a large file as it slows down the encryption process.

In a sample of the RegretLocker ransomware discovered by MalwareHunterTeam and analyzed by Advanced Intel Vitali Kremez, RegretLocker uses an interesting technique of placing a virtual disk file so that each of its files can be encrypted separately.

To do this, RegretLocker uses the Windows Virtual Storage API functions OpenVirtualDisk, AttachVirtualDisk and GetVirtualDiskPhysicalPath to place virtual disks. It specifically searches for VHD and places it when it is detected.

Once the virtual drive is installed as a physical disk in Windows, the ransomware can encrypt each one individually, which increases the encryption speed.

In addition to using the Virtual Storage API, RegretLocker also uses the Windows Restart Manager API to terminate Windows processes or services that keep a file open during encryption.

Windows Restart Manager is only used by some ransomware such as ta REvil (Sodinokibi), Ryuk, Conti, ThunderX / Ako, Medusa Locker, SamSam and LockerGoga.

RegretLocker is not yet very active, but it is a new family to watch.

The new RegretLocker ransomware targets Windows virtual machines was last modified: 4 November, 2020, 9: 17 am by Dimitris

Subscribe to our newsletter

no spam

spread the news

  • Facebook
  • Twitter
  • Reddit
  • Printing
  • Email

Read them Technology News from all over the world, with the validity of iGuRu.gr

Follow us on Google News


Competition: Newstag: ransomware, RegretLocker, Interactive, windows, disc, virtual

You May Also Like

What does Ctrl + Z do? More than you think
Capture Egregor ransomware developers
Troubleshoot oobekeyboard and BIOS problems

About Us Dimitris

Dimitris hates on Mondays .....

Previous Post: « Greeks prefer biometric authentication for their purchases
Next Post: Silk Road moves $ 1 billion into Bitcoin »

Reader Interactions

Comment Policy:

IGuRu.gr does not publish the comments immediately. Malicious comments, comments that include ads, or comments that are offensive are deleted without notice. We do not adopt the opinions expressed by our readers.
Your comments will be displayed after approval by the administrators


Leave your comment
Ακύρωση απάντησης

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *

 

 © 2021 · iGuRu.gr · ☢ · Keep It Simple Stupid Genesis theme

about  ·   get in touch  ·  rss  ·  sitemap  ·  cough

loadingCancel
Could not post post - check your email address!
Email verification failed, please try again
Your blog can not post posts via email.