A new ransomware called RegretLocker was discovered in late 2020. RegretLocker employs various advanced features that allow it to encrypt virtual hard drives and close open files for encryption. RegretLocker, in many ways, is a simple ransomware, as it does not contain a long-winded ransom note and uses email for communication rather than sending victims to a Tor payment site.
When encrypting files, it appends the .mouse extension to encrypted file names. RegretLocker advanced features include the ability to mount virtual hard disks. When creating a Windows Hyper-V virtual machine, a virtual hard disk is created and stored in a VHD or VHDX file. The virtual hard disk files contain a raw disk image, including the drive’s partition table and partitions. When a ransomware encrypts files on a computer, it is usually not efficient enough to encrypt a large file as it slows down the entire encryption process’s speed.
Researchers Analyze RegretLocker
In the samples of the ransomware discovered by MalwareHunterTeam and analyzed by Advanced Intel’s Vitali Kremez, RegretLocker mounts a virtual disk file so each of its files can be encrypted individually. To achieve this, RegretLocker employs the Windows Virtual Storage API OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath functions.
Once the virtual drive is mounted as a physical disk in Windows, RegretLocker can encrypt each one individually, increasing encryption speed. The code utilized by RegretLocker to mount a VHD is believed to be based on recently published research by security researcher smelly__vx. In addition to using the Virtual Storage API, RegretLocker also uses the Windows Restart Manager API to terminate processes or Windows services that keep files open during encryption.
While using this API, if the name of a process contains ‘vnc’, ‘ssh’, ‘mstsc’, ‘System’, or ‘svchost.exe’, the ransomware will not terminate it. This exception list is thought to be used to prevent the termination of critical programs or those used by hackers to access the compromised system. Windows Restart Manager feature is only used by a small number of ransomware strains that include REvil (Sodinokibi), Ryuk, Conti, ThunderX/Ako, Medusa Locker, SamSam, and LockerGoga.
Although RegretLocker has not been very active at this point, it is a new strain to keep an eye on.