Skip to main content

New RegretLocker ransomware has virtual machines in its crosshairs

ransomware
(Image credit: Image source: Shutterstock/Martial Red)

A new and relatively sophisticated ransomware has been spotted in the wild, according to a Bleeping Computer report.

Called RegretLocker, the malware sports a few advanced features that allows it to encrypt virtual hard drives and close open files in order to encrypt them.

The ransomware was first spotted last month, it was said, and while it doesn't look like anything special on the face, it’s quite the work of art on the inside.

It does not have a particularly remarkable ransom note, and uses email to communicate and transact with victims, rather than a Tor-based payment site.

But the way it operates impressed security experts nonetheless. Usually, it is hard to encrypt virtual hard disk files because of their size; for such files, encryption simply takes too long.

However, analysts from MalwareHunterTeam and Advanced Intel uncovered an interesting technique: the ransomware first mounts the virtual disk, and then encrypts each file one-by-one.

RegretLocker uses the Windows Virtual Storage API OpenVirtualDisk, AttachVirtualDisk and GetVirtualDiskPhysicalPath functions to mount virtual disks for encryption, significantly speeding up the process. Experts believe the code RegretLocker uses to mount virtual hard drives was taken from a recent report published by security researcher smelly__vx.

In order to terminate open files, and make sure everything gets encrypted, RegretLocker uses the Windows Restart Manager API. Only Sodinokibi, Ryuk, Conti, ThunderX, Medusa Locker, SamSAm and LockerGoga are known to use the same API.