Windows virtual hard drives are not safe with this ransomware either
According to an article published in MalwareBytes Labs, cybersecurity experts last month discovered a new ransomware called RegretLocker that can seriously damage virtual hard drives on Windows machines.
Indeed, it appears that RegretLocker can bypass long encryption times often required when encrypting a machine's virtual hard drives and closing all files currently open by a user to encrypt those files as well.
Chloé Messdaghi, vice president of strategy at Point3 Security, has Claimed:
RegretLocker has broken the execution speed barrier for encrypting [of] virtual files. The malware actually takes possession of the virtual disk and is much faster than previous ransomware that attacked virtual files.
Despite its sophisticated operation, RegretLocker does not perform any rather egregious actions at the end of its operations, but limits itself to warn the affected user to contact the attacker at an email address hosted on CTemplar, which, according to Silicon Angle, is an anonymous email hosting service based in Iceland.
The short note that victims receive, titled "HOW TO RESTORE FILES.TXT", contains the following text:
Hello friend.
All your files have been encrypted.
If you would like to restore them, please email us: petro@ctemplar.com.
Often ransomware of this type, despite being present on a machine, avoids any attempt to encrypt the found virtual disks because they may be large elevate and the time it takes to cr ittographing them would simply delay the purpose of the ransomware: to enter a machine and lock it.
Read also: nanodefender and nanoadblocker are malware: uninstall them
However, RegretLocker treats virtual disks differently. It uses the OpenVirtualDisk, AttachVirtualDisk and GetVirtualDiskPhysicalPath functions to mount virtual disks as physical disks on Windows machines. Once the virtual disk is mounted, RegretLocker encrypts the disk files individually, which speeds up the whole process.
RegretLocker's virtual hard disk mounting capabilities potentially stemmed from a research recently published at GitHub by security researcher smelly__vx. MalwareHunterTeam researchers also analyzed a sample of RegretLocket and found that it can run offline and online.
In addition, RegretLocker can tamper with the Windows Restart Manager API to terminate active programs or Windows services that keep files open. file. According to IT Pro Portal, the same API is used by other types of ransomware, including Sodinokibi, Ryuk, Conti, Medusa Locker, ThunderX, SamSam, and LockerGoga. Files encrypted with RegretLocker use the .mouse extension.
Obviously, Malwarebytes researchers ensure that their software is able to correctly detect the threat, as evidenced by the image below, so as to keep you safe its users.
NZXT C850 is the right power supply if you want to try your hand at overclocking, with 850W of power and 80Plus Gold certification. You can find it on Amazon.
Indeed, it appears that RegretLocker can bypass long encryption times often required when encrypting a machine's virtual hard drives and closing all files currently open by a user to encrypt those files as well.
Chloé Messdaghi, vice president of strategy at Point3 Security, has Claimed:
RegretLocker has broken the execution speed barrier for encrypting [of] virtual files. The malware actually takes possession of the virtual disk and is much faster than previous ransomware that attacked virtual files.
Despite its sophisticated operation, RegretLocker does not perform any rather egregious actions at the end of its operations, but limits itself to warn the affected user to contact the attacker at an email address hosted on CTemplar, which, according to Silicon Angle, is an anonymous email hosting service based in Iceland.
The short note that victims receive, titled "HOW TO RESTORE FILES.TXT", contains the following text:
Hello friend.
All your files have been encrypted.
If you would like to restore them, please email us: petro@ctemplar.com.
Often ransomware of this type, despite being present on a machine, avoids any attempt to encrypt the found virtual disks because they may be large elevate and the time it takes to cr ittographing them would simply delay the purpose of the ransomware: to enter a machine and lock it.
Read also: nanodefender and nanoadblocker are malware: uninstall them
However, RegretLocker treats virtual disks differently. It uses the OpenVirtualDisk, AttachVirtualDisk and GetVirtualDiskPhysicalPath functions to mount virtual disks as physical disks on Windows machines. Once the virtual disk is mounted, RegretLocker encrypts the disk files individually, which speeds up the whole process.
RegretLocker's virtual hard disk mounting capabilities potentially stemmed from a research recently published at GitHub by security researcher smelly__vx. MalwareHunterTeam researchers also analyzed a sample of RegretLocket and found that it can run offline and online.
In addition, RegretLocker can tamper with the Windows Restart Manager API to terminate active programs or Windows services that keep files open. file. According to IT Pro Portal, the same API is used by other types of ransomware, including Sodinokibi, Ryuk, Conti, Medusa Locker, ThunderX, SamSam, and LockerGoga. Files encrypted with RegretLocker use the .mouse extension.
Obviously, Malwarebytes researchers ensure that their software is able to correctly detect the threat, as evidenced by the image below, so as to keep you safe its users.
NZXT C850 is the right power supply if you want to try your hand at overclocking, with 850W of power and 80Plus Gold certification. You can find it on Amazon.