A new ransomware called RegretLocker was discovered in October. Rather than Tor payment sites, the ransom note left by the attackers instructs victims to send an email. The note is short compared to most others, only telling the victim that their files have been encrypted, how to contact them and a “hash” to identify the victim. What makes RegretLocker stand out, however, is that it has the capability to mount and encrypt individual files inside Microsoft’s virtual hard disk files (VHD, VHDX) rather than encrypting the entire disk. Through targeted file selection and potentially much smaller file sizes, this has the potential to greatly speed up the encryption process compared to encrypting the full virtual disk as a single file.
Another uncommon observed feature is using the Windows Restart Manager API to forcibly close specific processes or services that have a file open if it is a target for encryption. This API is only used by a few other groups including Conti, REvil (Sodinokibi) and Ryuk. Thankfully, RegretLocker is not currently very active yet, though its new-to-ransomware features may make it one to be cautious of.