RegretLocker Ransomware Description
The RegretLocker Ransomware is a new crypto locker threat detected by infosec researchers. The threat is unique and has not been classified as belonging to any of the previously established ransomware families. At first glance, RegretLocker lacks some of the fancy presentations that other modern ransomware threats have, such as an elaborate ransom note or a custom-made website hosted on the TOR network for communication purposes. However, digging a bit deeper reveals that RegretLocker Ransowmare is threatening extremely because it is equipped with several advanced and incredibly potent damaging features.
This Week In Malware Episode 31 Part 3: RegretLocker Ransomware Uses Techniques To Encrypt Windows Virtual Machines
When RegretLocker infiltrates a targeted computer, it will proceed to initiate its encryption process. Nearly all of the victim's files will be locked effectively and no longer accessible or usable in any shape or form. This could have devastating consequences if the encrypted files had a strong personal value or were for work-related projects. The malware threat will append the innocuous '.mouse' as a new extension at the end of the original names of the affected files. As for the ransom note with instructions from the hackers, it is dropped as a text file named 'HOW TO RESTORE FILES.TXT.' The note itself is extremely short, simply telling the victims to contact the email address 'email@example.com' if they want to decrypt their data.
The RegretLocker Ransomware Encrypts Virtual Hard Disks
So far, nothing out of the ordinary but here is what makes RegretLocker far scarier than normal ransomware - it can target Windows Virtual machines while also terminating processes to gain access to open files that will not be encrypted otherwise.
For a Windows Hyper-V virtual machine to function, it needs a virtual hard disk that is stored in either VHD or VHDX files. Depending on the raw disk image data contained in these files, their size could vary from several gigabytes way up to over a terabyte. Ransomware threats usually avoid targeting such large files as this would slow down the encryption process tremendously. The RegretLocker Ransomware is equipped with a workaround, though. This particular malware threat exploits three Windows Virtual Storage API functions - OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath to mount the virtual disk files. Once mounted, the files are considered as a physical disk in Windows, and RegretLocker can proceed to encrypt each file separately, thus avoiding the increase in encryption time.
Another advanced and far from common techniques that RegretLocker possesses as part of its arsenal is the ability to terminate Windows services and processes. The goal is to release any open files that are associated with these processes so that they can be encrypted. To avoid causing a critical system error or crash, RegretLocker has an internal list of five processes that will not be terminated - 'vnc,' 'ssh,' 'mstsc,' 'System,' and 'svchost.exe.'