Malware analysis

RegretLocker ransomware: What it is, how it works and how to prevent it | Malware spotlight

January 13, 2021 by Pedro Tavares


In October 2020, a new piece of data encryption malware made the headlines. RegretLocker is novel ransomware that can bypass the long encryption times required when encrypting virtual disks and close any files currently opened by the victim, while also encrypting those files using the Windows Restart Manager API.

This article will provide some details on how RegretLocker works, the new techniques it is using to encrypt VHD files and some of the common procedures to fight ransomware incidents.

RegretLocker is deployed by its developers often to close an infection chain during a malicious exploration of a compromised network. But this new threat brings a new technique not yet seen in its ancestors. When the malware encrypts the target device and finds any virtual hard disks such as VHD or VHDX files, they are mounted when detected and then encrypted file-by-file instead of encrypting the VHD raw file — a long, time-consuming task.

RegretLocker: How it works

The diagram presented in Figure 1 introduces how RegretLocker ransomware works.

Figure 1: High-level diagram of RegretLocker ransomware.

In short, the main steps of RegretLocker are:

  1. First, the ransomware checks for a valid internet connection and retrieves an RSA key from the C2 server. It can use a hardcoded key to continue the infection chain.
  2. An AES cryptographic key is generated to start the encryption process.
  3. Check for USB drives and encrypt them.
  4. Check for SMB shares and encrypt them.
  5. Encrypt all files from the target device and checks for VHD files, mount them and encrypt file-by-file (instead of encrypting the VHD raw file, as traditional ransomware variants do).
  6. Create persistence in the registry and delete shadow copies to prevent recovery.
  7. Drop the ransom note.

During the malicious process, the ransomware sends several notifications to the C2 server about the state of the encryption process.

Understanding RegretLocker ransomware

The RegretLocker binary file has hardcoded a DLL called tor-lib.dll used to perform connections between the ransomware and the C2 server available on the TOR network, as shown in Figure 1. To accomplish this task, the DLL is dropped after its execution.

Figure 2: tor-lib.dll dropped from the RegretLocker binary.

In detail, this DLL exports two calls then used by the binary to perform requests to the C2 server:

  • tor_send_get: To perform HTTP-GET requests through the TOR network
  • tor_send_post: To perform HTTP-POST requests through the TOR network

Figure 3: tor-lib.dll EAT calls.

Running through the DLL, it’s possible to identify some cryptographic functions used to establish communication with the TOR network.

CryptCreateHash [Import] :: 0000802C :: 1000902C

CryptEncrypt [Import] :: 0000801C :: 1000901C

CryptGenRandom [Import] :: 00008008 :: 10009008

CryptHashData [Import] :: 00008030 :: 10009030

Prime: IETF-1024, prime modulus :: 00008528 :: 10009528

In detail, RegretLocker communicates with the C2 server during three main scenarios:

  1. To retrieve the RSA key from the C2 server when the target machine is connected with the internet; or use the hardcoded RSA public key.
  2. To send the target fingerprint, including the computer’s IP, hostname, the volume of disks and so on.
  3. To deliver statistics about the encryption process and to alert criminals when the encryption process terminates.

Some interesting DLLs used by this piece of malware are highlighted in Figure 4.

Figure 4: DLLs imported and used by RegretLocker ransomware.

  • dll and advapi32.dll: DLLs used to handle cryptographic operations related to RSA and AES encryption.
  • dll: The Virtual Disk API DLL, used to mount virtual hard disks (VHD) during the encryption process.

The tor-lib.dll is also used but not listed in the binary dependencies from the Import Address Table (IAT) as it is dropped in run-time, as observed below. Specific calls are used to perform this process such as GetModuleFileNameA(), GetModuleHandleA(), FindResourceA(), LoadResource(), LockResource() and LoadLibraryA() to inject the DLL into the memory.

Figure 5: tor-lib.dll dropped and loaded into the memory in run-time.

Dissection of the persistence method

When the encryption process starts, the ransomware check if the target hostname is the same as the development machine — a technique used to ensure the malware does not encrypt the development machine (criminal’s machine).

Figure 6: RegretLocker terminates if the hostname is equal to a hardcoded name.

The next task is divided into two important steps. First, ensure that all the machine shadow copies are completely destroyed; and then, set up a key in the Windows registry to get persistence. Some of the commands used by RegretLocker to delete the entries from the Volume Shadow Copies Service (VSS) are:



bcdedit.exe / set{ default } bootstatuspolicy ignoreallfailures

bcdedit.exe / set{ default } recoveryenabled No

vssadmin.exe Delete Shadows / All / Quiet


To get persistence, two methods are used.

First, it set the registry “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” to the path of the malicious binary. This ensures that the malicious binary is executed every time the user logs into the machine.

Figure 7: Persistence techniques of RegretLocker ransomware.

Second, it schedules a task every minute using the schtasks process to guarantee the malware is always executed.

schtasks /Create /SC MINUTE /TN \”

This piece of software is also equipped with a process discovery routine. This is a mechanism to prevent multiple instances of the malware from being launched simultaneously by the scheduled task presented above. The calls used are depicted in Figure 8 below.

Figure 8: Calls used by RegretLocker during the process discovery task.

In addition, some target processes are matched during this process, namely:






In detail, this exception list is likely used to prevent the termination of critical programs or those used by the threat actor to access the compromised system.

Diving into the encryption details

As already depicted in the high-level diagram (Figure 1), this malware is quite different from other ransomware families. Initially, it looks and encrypts USB drives (Figure 9), SMB shares (Figure 10) and breakthrough the speed-of-execution barrier for encryption of virtual hard disk files.

RegretLocker mounts each virtual drive, and this process is much faster in execution than previous ransomware attacking virtual files.

Figure 9: RegretLocker find drives on the target machine, mounts and encrypts them.

The malware uses a class called smb_scanner to perform SMB enumeration and a function smb_encrypt() to encrypt all the files inside the shared folder.

Figure 10: RegretLocker SMB enumeration routine.

Next, the malware tries to encrypt all the files of the affected computer. For this, it uses the call small_encrypt(). During this process, some files and directories are excluded:




Hex Editor







During the encryption process, the malware checks the file extension for “.vhd” in order to identify virtual drives. When it found a VHD file, it mounts the virtual drive and uses several calls to iterate inside the virtual list of files and folders. Everything is encrypted via the call encrypt_large_file().

This novel technique seems an adaption of a recent publication of a security researcher smelly_vx that demonstrated how to mount VHD files via Windows Virtual Storage API.

The extension of each encrypted file is renamed to “.mouse” and the ransomware note is dropped inside each folder.

Figure 11: Files damaged by RegretLocker.

RegretLocker does not provide a lengthy ransomware note — a common practice for many ransomware types today. The message is short and simple. It asks victims to contact threat actors through an email address. That email address is hosted on CTemplar, an anonymous email hosting service based in Iceland.

Figure 12: RegretLocker — ransomware note.

Prevention measures

Malicious campaigns are targeting users and companies via social engineering schemes. In general, these kinds of campaigns are the entry point in a network, and criminals use often the ransomware attack to close the infection chain. Some measures can be taken to prevent the exploration scenarios of this nature:

  • Train users to be aware of potential social engineering and how to handle them in the right way.
  • Ensure that software, applications and systems are up to date.
  • Use endpoint protection solutions and updated antivirus to prevent malicious infections.
  • Use vulnerability management and monitoring systems to identify potential unpatched flaws and to detect incidents in real time.
  • Use canary files to detect ransomware early.

Finally, be proactive and perform cybersecurity audits and mitigate any weaknesses discovered in order to prevent attacks in the wild both from the external and internal perspective.



RegretLocker, new ransomware, can encrypt Windows virtual hard disks, Malwarebytes

New RegretLocker ransomware targets Windows virtual machines, Bleeping Computer

Posted: January 13, 2021
Pedro Tavares
View Profile

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.