Newly discovered ‘RegretLocker’ ransomware targets Windows virtual machines

A brand new refined type of ransomware has been detected within the wild that makes use of superior methods to encrypt virtual machines.

First detailed right this moment by Bleeping Computer, “RegretLocker” was discovered in October. Specifically concentrating on Windows virtual machines, the ransomware makes use of an attention-grabbing strategy of mounting a virtual disk file so every of its recordsdata might be encrypted individually.

RegretLocker makes use of the Windows Virtual Storage API OpenVirtualDisk, ConnectVirtualDisk and GetVirtualDiskPhysicalPath features to mount virtual disks for encryption, dashing up the method. The ransomware additionally faucets into Windows Restart Manager API to terminate processes or Windows companies that preserve recordsdata open throughout encryption.

Although the technical facet is spectacular in its complexity and its capacity to focus on recordsdata, the remainder of RegretLocker is pretty customary. Victims obtain a ransom word that tells them to contact an electronic mail deal with in the event that they wish to restore their encrypted recordsdata. The electronic mail deal with is hosted on CTemplar, an nameless electronic mail internet hosting service based mostly in Iceland.

Although RegretLocker has been detected within the wild, it isn’t but widespread.

“The newly discovered RegretLocker ransomware is one other instance of how refined malware authors have turn into, and the way they’re persevering with to develop their assaults as Cybersecurity practitioners proceed to enhance our defenses,” Saryu Nayyar, chief government officer of unified safety and danger analytics firm Gurucul Solutions Pvt Ltd. A.G., instructed SiliconANGLE. “This ransomware’s new capabilities make it extra of a problem, particularly if it turns into widespread. However, behavioral analytics instruments ought to have the ability to establish it shortly and mitigate the risk as they will with different ransomware strains.”

Chloé Messdaghi, vice chairman of cybersecurity intelligence firm Point3 Security Inc., famous that the ransomware has “damaged via the speed-of-execution barrier” for encrypting virtual recordsdata. “RegretLocker encrypts the virtual exhausting drives after which closes recordsdata and drives,” she defined. “It truly seizes the virtual disk and is far quicker in execution than earlier ransomware attacking virtual recordsdata.”

Mounir Hahad, head of Juniper Threat Labs, the risk intelligence arm of Juniper Networks Inc., identified that the choice of whoever’s behind the ransomware to speak with victims solely via electronic mail looks as if a poor selection. “It is true that choosing an Iceland-based electronic mail supplier offers them some privateness, however it doesn’t shield in opposition to prison exercise,” Hahad mentioned. “Once CTemplar takes motion and closes their electronic mail account, their victims can be left hanging to dry with no contact with the attackers.”

Photo: Pxfuel