Security News > 2020 > November > New RegretLocker ransomware targets Windows virtual machines
A new ransomware called RegretLocker uses a variety of advanced features that allows it to encrypt virtual hard drives and close open files for encryption.
When creating a Windows Hyper-V virtual machine, a virtual hard disk is created and stored in a VHD or VHDX file.
In a sample of the ransomware discovered by MalwareHunterTeam and analyzed by Advanced Intel's Vitali Kremez, RegretLocker uses an interesting technique of mounting a virtual disk file so each of its files can be encrypted individually.
To do this, RegretLocker uses the Windows Virtual Storage API OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath functions to mount virtual disks.
In addition to using the Virtual Storage API, RegretLocker also utilizes the Windows Restart Manager API to terminate processes or Windows services that keep a file open during encryption.