RegretLocker Ransomware Meddles with Your Virtual Machines

It’s well-known that any negligence in an organization’s cloud infrastructure can invite potential threats to its business, affecting company-wide operations. Further, flaws in cloud networks can only add significant challenges to security teams managing virtual resources and services.

Making the headlines

Researchers have discovered sophisticated ransomware, though at its nascent stage, using advanced techniques to compromise Windows virtual machines.
  • Spotted in October, RegretLocker sports features that allow it to encrypt virtual hard drives and close open files to encrypt them.
  • To communicate with its victims, attackers prefer to send e-mail notes instead of a Tor payment site.
  • Hackers’ email address is apparently hosted on CTemplar, an Iceland-based anonymous email hosting service.

How does it operate?

Normally, it is an uphill task to encrypt virtual hard disk files because of their enormous size as encryption takes time.
  • The actors behind RegretLocker uses OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath functions to mount virtual disks for encryption, speeding up the process.
  • The ransomware tampers with Windows Restart Manager API to terminate active programs or Windows services that keep files open.
  • When encrypting files, it appends the .mouse extension to encrypted file names.

The bottom line

Virtual machine-related security issues occur because of the difference between security tools designed to protect hosted software and those safeguarding physical devices. Experts recommend to segregate and protect hosted elements inside a private subnetwork, allowing only tested and trusted virtual features and functions, and deploying separate infrastructure management and orchestration to protect the network.