Security News > 2020 > November > New RegretLocker ransomware targets Windows virtual machines
A new ransomware called RegretLocker uses a variety of advanced features that allows it to encrypt virtual hard drives and close open files for encryption.
When creating a Windows Hyper-V virtual machine, a virtual hard disk is created and stored in a VHD or VHDX file.
In a sample of the ransomware discovered by MalwareHunterTeam and analyzed by Advanced Intel's Vitali Kremez, RegretLocker uses an interesting technique of mounting a virtual disk file so each of its files can be encrypted individually.
To do this, RegretLocker uses the Windows Virtual Storage API OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath functions to mount virtual disks.
In addition to using the Virtual Storage API, RegretLocker also utilizes the Windows Restart Manager API to terminate processes or Windows services that keep a file open during encryption.
News URL
Related news
- New VanHelsing ransomware targets Windows, ARM, ESXi systems (source)
- VanHelsing ransomware emerges to put a stake through your Windows heart (source)
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’ (source)