Categories
Security

RegretLocker ransomware encrypts virtual machines

Ransomware, ransomware, ransomware. At this point, the other malware families might be feeling some Jan Brady-level jealousy toward their flashier, more advanced brother. Ransomware is getting all the attention right now—for good reason.

Ransomware attacks have been ramping up in volume and in sophistication over the last year. Corporate targets have had to steel themselves against stealthy spear phishing campaigns, exposed RDP ports, zero-day exploits, and more. Now they have to worry about their virtual machines.

Using a combination of advanced attack techniques, a new ransomware family discovered in October called RegretLocker is able to encrypt virtual hard drives and close any files open by users for encryption. Why does this matter? RegretLocker is able to execute much more quickly than previous ransomware families and evade detection.

RegretLocker takes ransomware to the next level

RegretLocker ransomware appears fairly simple on the surface. It is accompanied by a short and sweet ransom note (as opposed to a long-winded soliloquy that has become common among ransomware threat actors). It uses email instead of Tor to accept ransom payments. When encrypting files, it applies a harmless-sounding .mouse extension.

But that’s where the simplicity ends. Instead of encrypting large files en masse, which can take a long time, RegretLocker mounts a virtual disk file so that each file may be encrypted individually, speeding up the process. In addition, RegretLocker uses the Windows Restart Manager API to terminate processes on Windows that can keep a file open during encryption, preventing users from salvaging open files.

RegretLocker follows in the footsteps of another ransomware family known as Ragnar Locker, which was first discovered in October 2019. Ragnar Locker deploys virtual machines to victim systems and launches the ransomware from inside. This gives the ransomware access to files on the local disk without being detected by security software deployed on the host system. In September 2020, Maze ransomware authors added Ragnar Locker’s virtual machine tactic to their bag of tricks.

The use of virtual machines by these ransomware families is not for the faint of heart—it’s complex, messy, and requires prior knowledge about the hardware and capabilities of its target networks, including whether or not the services had already been disabled. However, for threat actors looking to select and encrypt specific files quickly, or for those who’ve compromised a system but are looking to crack particularly difficult files, these methods represent the next evolution in a long chain of dangerous developments in ransomware.

What’s more, there are not many ways to protect against these types of ransomware attacks outside of preventing them from happening in the first place. (Though Malwarebytes’ Anti-Ransomware technology blocks RegretLocker from launching.)

What we can take away from these latest developments in ransomware is that cybercriminals have been busy doing what they do best: developing new tricks and workarounds that had previously prevented their malware from being as dangerous as it could be. The best defense, as it has always been, is awareness and proactive protection.

To learn more about RegretLocker ransomware, take a look at our blog on Malwarebytes Labs: https://blog.malwarebytes.com/ransomware/2020/11/regretlocker-new-ransomware-can-encrypt-windows-virtual-hard-disks/

And here is Bleeping Computer’s take on RegretLocker: https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/

For information on Ragnar Locker’s attack on gaming company Capcom: https://threatpost.com/gaming-giant-capcom-ragnar-locker-ransomware/160996/

Categories
Security

Mysterious case of the executable hijack

I got a message from my friend Paul today asking for help with an infection. He was using the latest version of Firefox at the time and was positive he did not click on any odd links or downloaded anything malicious. Naturally, I advised him to run Malwarebytes Anti-Malware and had him send me the log. One specific entry popped out at me.

Memory Processes Infected:
c:UsersPaulAppDataLocalojx.exe (Trojan.ExeShell.Gen) -> 3508 -> No action taken.

I picked up the phone and called Bruce Harrison, our VP of Research, and asked for an explanation. The result had shocked me. I was told that this was an executable hijack that is used with FakeAlert, a Trojan we see almost daily in our research center.

What exactly does that mean? Well, when the infection is able to penetrate your computer, it hijacks all executables to run the malicious file instead of their intended targets. For example, you try to open Skype and the malicious file starts instead.

It does this in two ways. First, it modifies each shortcut itself to point to the malware. Secondly, it modifies the .exe shell in the registry so that once again instead of starting the correct executable, it starts the malicious file.

Luckily, Malwarebytes Anti-Malware was able to patch Paul up, but we both wanted to know how this had happened. Bruce advised us to check the installed Java version. It was in fact outdated by several versions. I advised Paul to update to the latest version and he now has a healthy computer!