A new sophisticated form of ransomware has been detected in the wild that uses advanced techniques to encrypt virtual machines.

First detailed today by Bleeping Computer, “RegretLocker” was discovered in October. Specifically targeting Windows virtual machines, the ransomware uses an interesting technique of mounting a virtual disk file so each of its files can be encrypted individually.

RegretLocker uses the Windows Virtual Storage API OpenVirtualDisk, AttachVirtualDisk and GetVirtualDiskPhysicalPath functions to mount virtual disks for encryption, speeding up the process. The ransomware also taps into Windows Restart Manager API to terminate processes or Windows services that keep files open during encryption.

Although the technical side is impressive in its complexity and its ability to target files, the rest of RegretLocker is fairly standard. Victims receive a ransom note that tells them to contact an email address if they want to restore their encrypted files. The email address is hosted on CTemplar, an anonymous email hosting service based in Iceland.

Although RegretLocker has been detected in the wild, it is not yet widespread.

“The newly discovered RegretLocker ransomware is another example of how sophisticated malware authors have become, and how they are continuing to develop their attacks as Cybersecurity practitioners continue to improve our defenses,” Saryu Nayyar, chief executive officer of unified security and risk analytics company Gurucul Solutions Pvt Ltd. A.G., told SiliconANGLE. “This ransomware’s new capabilities make it more of a challenge, especially if it becomes widespread. However, behavioral analytics tools should be able to identify it quickly and mitigate the threat as they can with other ransomware strains.”

Chloé Messdaghi, vice president of cybersecurity intelligence company Point3 Security Inc., noted that the ransomware has “broken through the speed-of-execution barrier” for encrypting virtual files. “RegretLocker encrypts the virtual hard drives and then closes files and drives,” she explained. “It actually seizes the virtual disk and is much faster in execution than previous ransomware attacking virtual files.”

Mounir Hahad, head of Juniper Threat Labs, the threat intelligence arm of Juniper Networks Inc., pointed out that the decision of whoever’s behind the ransomware to communicate with victims only through email seems like a poor choice. “It is true that picking an Iceland-based email provider gives them some privacy, but it doesn’t protect against criminal activity,” Hahad said. “Once CTemplar takes action and closes their email account, their victims will be left hanging to dry with no contact with the attackers.”

Photo: Pxfuel