Juniper Threat Labs is offering perspective on the newly discovered RegretLockerExperts On RegretLocker Ransomware Strikes Windows Virtual Desktops ransomware, which rapidly encrypts Windows virtual desktops according to researchers.
Researcher Vitali Kremez: https://twitter.com/VK_Intel/status/1323693700371914753?s=20
Juniper Threat Labs: https://threatlabs.juniper.net/signatures/#/
Unfortunately, this ransomware has broken through the speed-of-execution barrier for encrypting virtual files, and there have been many trying to figure out how to do it. RegretLocker encrypts the virtual hard drives and then closes files, rives & closes files. It actually seizes the virtual disk and is much faster in execution than previous ransomware attacking virtual files.
This is the kind of ransomware that forces companies to pay up, because it’s one that’s capable of bringing line-of-business processes and production to a halt. As we’ve seen, when the main consequences are loss of customer data, companies may or may not have been motivated to pay ransom, but when key business processes cease, victims will do whatever’s necessary to resume production. This is why it’s absolutely critical to upskill security teams and train all employees on avoiding falling for phishing attacks, because that’s the primary method of entry.
The newly discovered RegretLocker ransomware is another example of how sophisticated malware authors have become, and how they are continuing to develop their attacks as Cybersecurity practitioners continue to improve our defenses. This ransomware\’s new capabilities make it more of a challenge, especially if it becomes widespread. However, behavioral analytics tools should be able to identify it quickly and mitigate the threat as they can with other ransomware strains. They key is having a mature security stack, and educating users to help reduce the chance of infection in the first place.
Going after virtual disks seems like a niche market for threat actors. Most ransomware does not need to deal with virtual disks to pose a threat.
Their decision of communicating with victims through email only seems again like a poor choice. It is true that picking an Iceland-based email provider gives them some privacy, but it doesn’t protect against criminal activity. Once Ctemplar takes action and closes their email account, their victims will be left hanging to dry with no contact with the attackers.