Threat Watch

New RegretLocker Ransomware Mounts and Encrypts Virtual Drives

A new ransomware called RegretLocker was discovered in October. Rather than Tor payment sites, the ransom note left by the attackers instructs victims to send an email. The note is short compared to most others, only telling the victim that their files have been encrypted, how to contact them and a “hash” to identify the victim. What makes RegretLocker stand out, however, is that it has the capability to mount and encrypt individual files inside Microsoft’s virtual hard disk files (VHD, VHDX) rather than encrypting the entire disk. Through targeted file selection and potentially much smaller file sizes, this has the potential to greatly speed up the encryption process compared to encrypting the full virtual disk as a single file.

Another uncommon observed feature is using the Windows Restart Manager API to forcibly close specific processes or services that have a file open if it is a target for encryption. This API is only used by a few other groups including Conti, REvil (Sodinokibi) and Ryuk. Thankfully, RegretLocker is not currently very active yet, though its new-to-ransomware features may make it one to be cautious of.


VHD and VHDX files are often used as virtual disks for Hyper-V virtual machines which may indicate that the group is hoping to target Windows servers. Binary Defense recommends that organizations follow a regular patching schedule to keep systems up to date as new vulnerabilities are being remediated. When possible, services like Remote Desktop Protocol (RDP) should not be exposed directly to the Internet and instead placed behind a VPN. Consider enabling multi-factor authentication (MFA) for these services as well. Use the 3-2-1 rule as a guideline for backup practices. The rule states that three copies of all critical data are retained on at least two different types of media and at least one of them is stored offline.