The new RegretLocker ransomware targets Windows virtual machines

A new ransomware called RegretLocker uses a variety of advanced features that allow it to encrypt virtual hard drives and close open files to encrypt them.

RegretLocker was discovered in October 2020 and is a simple ransomware in terms of appearance, as it does not contain a bullying message for ransom, and instead of a Tor site it uses an email for communication.

When encrypting files, RegretLocker adds the extension . με αβλαβείς ήχους στα κρυπτογραφημένα ονόματα αρχείων.

But what makes it particularly dangerous are the advanced ones which it has and which we do not usually see in ransomware infections. See how it works:

When you create a Windows Hyper-V virtual machine, a virtual hard disk is created and saved to a VHD or VHDX file.

These virtual hard disk files contain a raw disk image, including the partition table, and like regular drives, can range in size from a few gigabytes to terabytes.

When a ransomware encrypts files in a , is not effective when encrypting a large file as it slows down the speed of the encryption process.

In a sample of RegretLocker ransomware discovered by MalwareHunterTeam and analyzed by Vitali Kremez of Intel , RegretLocker uses an interesting technique of placing a virtual disk file so that each of its files can be encrypted individually.

To do this, RegretLocker uses the Windows Virtual Storage API functions OpenVirtualDisk, AttachVirtualDisk and GetVirtualDiskPhysicalPath to place virtual disks. It specifically searches for VHD and places it when it is detected.

Once the virtual drive is installed as a physical disk in Windows, the ransomware can encrypt each one individually, which increases the encryption speed.

In addition to using the Virtual Storage API, RegretLocker also uses the Windows Restart Manager API to terminate Windows processes or services that keep a file open during of encryption.

The Windows Restart Manager feature is only used by some ransomware such as REvil (Sodinokibi ), Ryuk, Conti, /Ako, Locker, SamSam and LockerGoga.

RegretLocker is not yet very active, but it is a new family to watch.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).