RegretLocker Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 1 |
| First Seen: | January 19, 2011 |
| Last Seen: | November 11, 2020 |
| OS(es) Affected: | Windows |
The RegretLocker Ransomware is a new crypto locker threat detected by infosec researchers. The threat is unique and has not been classified as belonging to any of the previously established ransomware families. At first glance, RegretLocker lacks some of the fancy presentations that other modern ransomware threats have, such as an elaborate ransom note or a custom-made website hosted on the TOR network for communication purposes. However, digging a bit deeper reveals that RegretLocker Ransowmare is threatening extremely because it is equipped with several advanced and incredibly potent damaging features.
This Week In Malware Episode 31 Part 3: RegretLocker Ransomware Uses Techniques To Encrypt Windows Virtual Machines
When RegretLocker infiltrates a targeted computer, it will proceed to initiate its encryption process. Nearly all of the victim's files will be locked effectively and no longer accessible or usable in any shape or form. This could have devastating consequences if the encrypted files had a strong personal value or were for work-related projects. The malware threat will append the innocuous '.mouse' as a new extension at the end of the original names of the affected files. As for the ransom note with instructions from the hackers, it is dropped as a text file named 'HOW TO RESTORE FILES.TXT.' The note itself is extremely short, simply telling the victims to contact the email address 'petro@ctemplar.com' if they want to decrypt their data.
The RegretLocker Ransomware Encrypts Virtual Hard Disks
So far, nothing out of the ordinary but here is what makes RegretLocker far scarier than normal ransomware - it can target Windows Virtual machines while also terminating processes to gain access to open files that will not be encrypted otherwise.
For a Windows Hyper-V virtual machine to function, it needs a virtual hard disk that is stored in either VHD or VHDX files. Depending on the raw disk image data contained in these files, their size could vary from several gigabytes way up to over a terabyte. Ransomware threats usually avoid targeting such large files as this would slow down the encryption process tremendously. The RegretLocker Ransomware is equipped with a workaround, though. This particular malware threat exploits three Windows Virtual Storage API functions - OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath to mount the virtual disk files. Once mounted, the files are considered as a physical disk in Windows, and RegretLocker can proceed to encrypt each file separately, thus avoiding the increase in encryption time.
Another advanced and far from common techniques that RegretLocker possesses as part of its arsenal is the ability to terminate Windows services and processes. The goal is to release any open files that are associated with these processes so that they can be encrypted. To avoid causing a critical system error or crash, RegretLocker has an internal list of five processes that will not be terminated - 'vnc,' 'ssh,' 'mstsc,' 'System,' and 'svchost.exe.'
