Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11RegretLocker: A new strain of ransomware that targets Windows virtual machines
A new ransomware strain called RegretLocker has been found to use a host of advanced features to encrypt virtual hard drives and close open files on the target system to encrypt unauthorized data.
In fact, RegretLocker was first spotted in October, and is judged to be a formally simple ransomware strain because it doesn't contain lengthy ransom notices and specifically only uses email for communications. to the victim, not a regular Tor payment site.
RegretLocker's ransom notes
Once a file is successfully encrypted, RegretLocker adds a harmless sounding .mouse extension to the filename. But in fact, hidden inside it is an extremely unique encryption mechanism.
The file after being encrypted by RegretLocker
RegretLocker's dangerous encryption technique
When setting up a Windows Hyper-V virtual machine, a virtual hard disk is also created and stored in a VHD or VHDX file.
These virtual hard disk files contain raw disk images, include the partition table of the virtual drive and the partitions that are similar to regular drives, and can range in size from several GB to TB rows.
When ransomware encrypts data on your computer, encrypting a large file is ineffective because it slows down the speed of the entire process. In a ransomware sample discovered by MalwareHunterTeam and analyzed by Advanced Intel security engineer Vitali Kremez, RegretLocker used a relatively unique encryption technique, which is to mount virtual disk files for individual encryption.
ingredients quickly and easily. To implement this technique, RegretLocker uses the Windows Virtual Storage APIs OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath for the purpose of mounting the virtual disk.
The malware mounts a VHD file
After the virtual drive has been mounted as a physical disk in Windows, ransomware can completely encrypt each individual drive, thereby significantly increasing encryption speed.
In addition to using the Virtual Storage API, RegretLocker was found to abuse the Windows Restart Manager API to terminate Windows processes or services that left files open during encryption.
When using this API, if the name of the process contains 'vnc', 'ssh', 'mstsc', 'System' or 'svchost.exe' then ransomware will not terminate that process. This exception list can be used to prevent important programs or programs used by hackers to access the target system from being accidentally stopped. The Windows Restart Manager API is currently only used by some popular ransomware such as REvil (Sodinokibi), Ryuk, Conti, ThunderX / Ako, Medusa Locker, SamSam, and LockerGoga.
Windows Restart Manager Exceptions List
RegretLocker is not very active yet and is really popular right now, but this is clearly a dangerous ransomware strain that needs to be kept an eye out for now.
Micah SotoYou should read it
- Can data encryption protect you from Ransomware?
- Ransomware (ransomware) is showing signs of explosion worldwide, paying is no longer the most effective option.
- Ransomware can encrypt cloud data
- New ransomware strain discovered using leaked Windows and Linux encryption
- Ako ransomware is raging all over the world, what do you know about this ransomware?
- Windows Sandbox, a new feature in Windows 10 that helps create virtual machines for testing suspicious software
- 5 best virtual machines for Windows 11 PCs
- Even DSLR cameras can be easily attacked by ransomware
May be interested
- How to export Hyper-V virtual machines in Windows 10
you can use hyper-v export and import functions to quickly copy virtual machines. virtual machines that are accessed can be used for backup or as a way to migrate a virtual machine between hyper-v servers. - Detecting a new ransomware strain that specializes in stealing login information from the Chrome browsera ransomware strain called qilin was recently discovered using a relatively sophisticated tactic, with high customization capabilities, to steal account login information stored in the google chrome browser. .
- Create virtual machines in Hyper-V on Windows Server 2008after hyper-v is installed, the first thing to do here is to create a virtual machine - virtual machine. in the following article, we will introduce you to some basic steps to do this, with the general implementation process almost just clicking next> next> finish.
- What is Epsilon Red Ransomware?a new ransomware threat, called epsilon red, targets unpatched microsoft-based servers in enterprise data centers.
- What is Ransomware Ryuk? How to prevent it?cybercriminals are using a new form of ransomware to target large businesses and take money from it. since august, the ryuk team has made $ 4 million by installing malicious encryption software on high-value targets.
- New ransomware strain discovered using leaked Windows and Linux encryptiona new ransomware operation called 'buhti' uses leaked code of the lockbit and babuk ransomware families to target windows and linux systems
- Virtual machines without TPM 2.0 are prohibited from installing Windows 11 Insider Previewit seems that microsoft is tightening the list of devices that can install windows 11 insider preview.
- 7 kinds of ransomware you didn't expectmost people know the process of making a ransomware, which is why ransomware creators are always looking to find and create new ransomware to make you pay. here are some new ransomware you should know.
- Add drives for virtual machines running Windows XP on VirtualBoxnormally, virtual machines are set up for fixed storage, and once you reach that limit, you may feel confused, unless you know how to add virtual drives to the machine.
- How to rename Hyper-V virtual machines using PowerShell and Hyper-V Managersometimes when you create a hyper-v virtual machine, you must give it a name and sometimes the naming is incorrect or simply you no longer want to use that name. this article will provide three methods to rename a hyper-v virtual machine to your liking.
Attack the network
- Zalo PC has a serious RCE error, you should be careful when receiving attachments
- What is SS7 attack? What can hackers use it for?
- The NSA issued an urgent warning about a critical vulnerability appearing in Windows servers
- Discovered a particularly dangerous vulnerability in Cisco Jabber video conferencing software
- Typosquatting, attacking techniques, extortion with typos, typos
- Detecting a Google Drive vulnerability could allow hackers to trick users into installing malware
Zalo PC has a serious RCE error, you should be careful when receiving attachments
What is SS7 attack? What can hackers use it for?
The NSA issued an urgent warning about a critical vulnerability appearing in Windows servers
Discovered a particularly dangerous vulnerability in Cisco Jabber video conferencing software
Typosquatting, attacking techniques, extortion with typos, typos
Detecting a Google Drive vulnerability could allow hackers to trick users into installing malware