This article will provide some details on how RegretLocker works, the new techniques it is using to encrypt VHD files and some of the common procedures to fight ransomware incidents. RegretLocker is deployed by its developers often to close an infection chain during a malicious exploration of a compromised network. But this new threat brings a new technique not yet seen in its ancestors. When the malware encrypts the target device and finds any virtual hard disks such as VHD or VHDX files, they are mounted when detected and then encrypted file-by-file instead of encrypting the VHD raw file — a long, time-consuming task.

RegretLocker: How it works

The diagram presented in Figure 1 introduces how RegretLocker ransomware works.

Figure 1: High-level diagram of RegretLocker ransomware. In short, the main steps of RegretLocker are:

First, the ransomware checks for a valid internet connection and retrieves an RSA key from the C2 server. It can use a hardcoded key to continue the infection chain. An AES cryptographic key is generated to start the encryption process. Check for USB drives and encrypt them. Check for SMB shares and encrypt them. Encrypt all files from the target device and checks for VHD files, mount them and encrypt file-by-file (instead of encrypting the VHD raw file, as traditional ransomware variants do). Create persistence in the registry and delete shadow copies to prevent recovery. Drop the ransom note.

During the malicious process, the ransomware sends several notifications to the C2 server about the state of the encryption process.

Understanding RegretLocker ransomware

The RegretLocker binary file has hardcoded a DLL called tor-lib.dll used to perform connections between the ransomware and the C2 server available on the TOR network, as shown in Figure 1. To accomplish this task, the DLL is dropped after its execution.

Figure 2: tor-lib.dll dropped from the RegretLocker binary. In detail, this DLL exports two calls then used by the binary to perform requests to the C2 server:

tor_send_get: To perform HTTP-GET requests through the TOR network tor_send_post: To perform HTTP-POST requests through the TOR network

Figure 3: tor-lib.dll EAT calls. Running through the DLL, it’s possible to identify some cryptographic functions used to establish communication with the TOR network. In detail, RegretLocker communicates with the C2 server during three main scenarios: CryptGenRandom [Import] :: 00008008 :: 10009008 CryptHashData [Import] :: 00008030 :: 10009030 Prime: IETF-1024, prime modulus :: 00008528 :: 10009528

To retrieve the RSA key from the C2 server when the target machine is connected with the internet; or use the hardcoded RSA public key.

To send the target fingerprint, including the computer’s IP, hostname, the volume of disks and so on. To deliver statistics about the encryption process and to alert criminals when the encryption process terminates.

Some interesting DLLs used by this piece of malware are highlighted in Figure 4.

Figure 4: DLLs imported and used by RegretLocker ransomware.

dll and advapi32.dll: DLLs used to handle cryptographic operations related to RSA and AES encryption. dll: The Virtual Disk API DLL, used to mount virtual hard disks (VHD) during the encryption process.

The tor-lib.dll is also used but not listed in the binary dependencies from the Import Address Table (IAT) as it is dropped in run-time, as observed below. Specific calls are used to perform this process such as GetModuleFileNameA(), GetModuleHandleA(), FindResourceA(), LoadResource(), LockResource() and LoadLibraryA() to inject the DLL into the memory.

Figure 5: tor-lib.dll dropped and loaded into the memory in run-time.

Dissection of the persistence method

When the encryption process starts, the ransomware check if the target hostname is the same as the development machine — a technique used to ensure the malware does not encrypt the development machine (criminal’s machine).

Figure 6: RegretLocker terminates if the hostname is equal to a hardcoded name. The next task is divided into two important steps. First, ensure that all the machine shadow copies are completely destroyed; and then, set up a key in the Windows registry to get persistence. Some of the commands used by RegretLocker to delete the entries from the Volume Shadow Copies Service (VSS) are: To get persistence, two methods are used. bcdedit.exe / set{ default } bootstatuspolicy ignoreallfailures bcdedit.exe / set{ default } recoveryenabled No vssadmin.exe Delete Shadows / All / Quiet   First, it set the registry “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” to the path of the malicious binary. This ensures that the malicious binary is executed every time the user logs into the machine.

Figure 7: Persistence techniques of RegretLocker ransomware. Second, it schedules a task every minute using the schtasks process to guarantee the malware is always executed. This piece of software is also equipped with a process discovery routine. This is a mechanism to prevent multiple instances of the malware from being launched simultaneously by the scheduled task presented above. The calls used are depicted in Figure 8 below.

Figure 8: Calls used by RegretLocker during the process discovery task. In addition, some target processes are matched during this process, namely: In detail, this exception list is likely used to prevent the termination of critical programs or those used by the threat actor to access the compromised system. mstsc System svchost.exe

Diving into the encryption details

As already depicted in the high-level diagram (Figure 1), this malware is quite different from other ransomware families. Initially, it looks and encrypts USB drives (Figure 9), SMB shares (Figure 10) and breakthrough the speed-of-execution barrier for encryption of virtual hard disk files. RegretLocker mounts each virtual drive, and this process is much faster in execution than previous ransomware attacking virtual files.

Figure 9: RegretLocker find drives on the target machine, mounts and encrypts them. The malware uses a class called smb_scanner to perform SMB enumeration and a function smb_encrypt() to encrypt all the files inside the shared folder.

Figure 10: RegretLocker SMB enumeration routine. Next, the malware tries to encrypt all the files of the affected computer. For this, it uses the call small_encrypt(). During this process, some files and directories are excluded: During the encryption process, the malware checks the file extension for “.vhd” in order to identify virtual drives. When it found a VHD file, it mounts the virtual drive and uses several calls to iterate inside the virtual list of files and folders. Everything is encrypted via the call encrypt_large_file(). x96dbg Hex Editor Windows ProgramData Microsoft System .log tor-lib.dll This novel technique seems an adaption of a recent publication of a security researcher smelly_vx that demonstrated how to mount VHD files via Windows Virtual Storage API.

The extension of each encrypted file is renamed to “.mouse” and the ransomware note is dropped inside each folder.

Figure 11: Files damaged by RegretLocker. RegretLocker does not provide a lengthy ransomware note — a common practice for many ransomware types today. The message is short and simple. It asks victims to contact threat actors through an email address. That email address is hosted on CTemplar, an anonymous email hosting service based in Iceland.

Figure 12: RegretLocker — ransomware note.

Prevention measures

Malicious campaigns are targeting users and companies via social engineering schemes. In general, these kinds of campaigns are the entry point in a network, and criminals use often the ransomware attack to close the infection chain. Some measures can be taken to prevent the exploration scenarios of this nature:

Train users to be aware of potential social engineering and how to handle them in the right way. Ensure that software, applications and systems are up to date. Use endpoint protection solutions and updated antivirus to prevent malicious infections. Use vulnerability management and monitoring systems to identify potential unpatched flaws and to detect incidents in real time. Use canary files to detect ransomware early.

Finally, be proactive and perform cybersecurity audits and mitigate any weaknesses discovered in order to prevent attacks in the wild both from the external and internal perspective.  

Sources

RegretLocker, new ransomware, can encrypt Windows virtual hard disks, Malwarebytes New RegretLocker ransomware targets Windows virtual machines, Bleeping Computer