{
	"id": "ca03f550-b3e9-4aca-bd79-4372f13433bb",
	"created_at": "2026-04-06T00:21:11.802907Z",
	"updated_at": "2026-04-10T03:22:11.348426Z",
	"deleted_at": null,
	"sha1_hash": "7f01a1e94d7acdcec5bd96adffda56e1a525eea1",
	"title": "RegretLocker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 889019,
	"plain_text": "RegretLocker\r\nBy Chuong Dong\r\nPublished: 2020-11-17 · Archived: 2026-04-05 22:01:21 UTC\r\nReverse Engineering  · 17 Nov 2020\r\nSummary\r\nRegretLocker is a new ransomware that has been found in the wild in the last month that does not only encrypt\r\nnormal files on disk like other ransomwares. When running, it will particularly search for VHD files, mount them\r\nusing Windows Virtual Storage API, and then encrypt all the files it finds inside of those VHD files.\r\nTypically, VHD files are huge in size with a max size of nearly 2TB because it’s mainly ussed to store the contents\r\nof a hard disk of a VM which includes disk particitions and file systems. This makes it unrealistic for ransomware\r\nto waste time encrypting simply because it’s too big.\r\nHowever, through mounting these virtual disks as physical disks, RegretLocker can go through and encrypt the\r\nindividual files inside, which significantly increases encryption speed overall.\r\nFor encryption, RegretLocker reaches out to the C\u0026C server for a RSA key in order to encrypt and produce a\r\nunique AES key. This AES key will be used to encrypt all of the files on the disks. However, if the machine is\r\noffline or it can’t reach C\u0026C, it will just uses the hard-coded RSA key in memory, which makes it simple to write\r\na decryption tool for!\r\nAll of the encrypted files have the extension .mouse.\r\nHuge shout-outs to Vitali Kremez and MalwareHunterTeam for bringing this ransomware to my attention!\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 1 of 21\n\nIOCS\r\nRegretLocker comes in the form of a 32-bit PE file.\r\nMD5: 3265b2b0afc6d2ad0bdd55af8edb9b37\r\nSHA256: a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4\r\nDependencies\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 2 of 21\n\nAdvapi32.dll and Crypt32.dll: Main crypto functionalities such as RSA and AES encryption\r\nVirtDisk.dll: Mounting virtual disk functionalities\r\ntor-lib.dll: DLL dropped by RegretLocker that is used to contact C\u0026C through Tor\r\nNetworking\r\nRegretLocker contacts the C\u0026C server at http://regretzjibibtcgb.onion/input through Tor 3 times:\r\n- Retrieve RSA key from server\r\n- Sending information such as the computer's IP, name, volume of the disks,..\r\n- Signalling when it finishes encrypting\r\nBefore contacting C\u0026C, it sends a GET request to http://api.ipify.org/ to retrieve the PC’s public IP address. If\r\nthis fails, the malware can assume that it’s running offline and will use the hard-coded RSA key.\r\nRansom Note\r\nRegretLocker drops a ransom note in every folder that it encrypts. This is the content if you run the malware with\r\nInternet connection. The hash is used to identify which RSA key is used to generate the AES key on your machine.\r\nYou can find malware log here on my Github\r\nCode Analysis\r\nOnly One Process Running\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 3 of 21\n\nRegretLocker first check if there is only one version of itself running by looping through all of the running\r\nprocesses using CreateToolhelp32Snapshot, Process32First, and Process32Next.\r\nFor each of the running processes, it compares the name against its own name to make sure that there is no\r\nprocess with the same name.\r\nIf there is one with the same name, the ransomware exits immediately.\r\nDropping tor-lib.dll\r\nThe malware extracts the path to the current directory it is located in through GetModuleFileNameA and concats\r\n”\\tor-lib.dll” to it, which means that it drops this dll in the same directory of the malware.\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 4 of 21\n\nIt then calls a function to extract the dll from its resource section through FindResourceA, LoadResource, and\r\nLockResource. As we can see in Resource Hacker, the dll is stored unencrypted in the resource section. After\r\nextracting the dll, it calls LoadLibrary to get a handle to the dll. This handle will be used for the malware to\r\ncontact C\u0026C.\r\nDevelopment Check\r\nThe malware writter has 2 weird checks to check for a particular user name and PC name(WIN-295748OMAKG).\r\nIf the user name or the PC name matches, the malware will exit immediately.\r\nThis is potentially just a check against the development PC to make sure that the ransomware does not try to\r\nencrypt the machine during development.\r\nAs a developer myself, I’m disappointed by this unprofessionalism . Clean up your damn code please!\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 5 of 21\n\nPersistence\r\nFor persistence, the malware set the registry SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to the path of\r\nthe malware. This ensures that the malware is automatically run every time the user logs into the machine.\r\nNext, it also schedules the malware as a task every minite using this Schtasks.exe command, which is run from\r\ncmd.exe using ShellExecuteA.\r\n schtasks /Create /SC MINUTE /TN \"Mouse Application\" /TR \"RegretLocker_path\" /f\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 6 of 21\n\nEncryption Setup\r\nThe malware builds and executes this command from cmd.exe.\r\n cmd.exe /C wmic SHADOWCOPY DELETE \u0026 wbadmin DELETE SYSTEMSTATEBACKUP \u0026 bcdedit.exe / set{ default } bootstatu\r\nwmic SHADOWCOPY DELETE: This will delete all of the shadow copies of the files on the system,\r\npreventing the encrypted files to be reverted to their previous state.\r\nwbadmin DELETE SYSTEMSTATEBACKUP: Delete system backup. Preventing the system to go back\r\nto a previous snapshot\r\nbcdedit.exe / set{ default } bootstatuspolicy ignoreallfailures: Set the boot status policy to ignore errors\r\nduring a failed boot. Make sure the PC does not fail over to Windows recovery or reboot.\r\nbcdedit.exe / set{ default } recoveryenabled No: Make sure the system can’t be recovered.\r\nNext, it loops through all the drives and add the name of those with the drive type DRIVE_FIXED,\r\nDRIVE_REMOVABLE, or DRIVE_REMOTE.\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 7 of 21\n\nThese names are mounted to the C drive using GetVolumePathNamesForVolumeNameA,\r\nSetVolumeMountPointA, FindFirstVolumeA, and FindNextVolumeA. Since this function name is labeled as\r\nshow_hided_drives(), this function just probably mounts all the valid drives so it won’t miss any hidden drive.\r\nRetrieving RSA key\r\nAs discussed above, the malware will first reach out to C\u0026C at http://regretzjibibtcgb.onion/input with get_key in\r\nthe query to request the RSA key.\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 8 of 21\n\nThe global variable RSA_KEY will be written accordingly with the RSA key depending on if it can reach the\r\nC\u0026C or not. If it can’t, it will use this hard-coded RSA key.\r\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1ZQInrnhxXCtAN/LsOX2GmgbvBxMsO49lc1/qodshkUvRQLazWv61UbMLKx2gaRQrCYuVrR1C\r\n-----END PUBLIC KEY-----\r\nGenerating AES key\r\nUsing the RSA key, it will call CryptAcquireContextA, CryptDecodeObjectEx, CryptImportPublicKeyInfo, and\r\nCryptEncrypt to encrypt the “AES” buffer in memory, generating a new AES key\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 9 of 21\n\nWith this method, the malware can generate a different AES key as long as it’s receiving a different RSA key from\r\nC\u0026C. However, this AES key is constant after this encryption if the malware is run offline, so it should be\r\nstraightforward to produce a decrypting tool if either C\u0026C is down or the PC is not connected to the Internet.\r\nEncryption - USB Drives\r\nThe first encryption happens to USB drives, if there are any. This function is called to retrieve the name of all the\r\nUSB drives by checking for any drive with DRIVE_REMOVABLE type. This function was pretty similar of the\r\none previously used in show_hided_drives().\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 10 of 21\n\nNext, it loops through all of these USB drives and call a function to encrypt its content. I label this as\r\nsmall_encrypt() because it is used to encrypt USB drives and small files only.\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 11 of 21\n\nI will dive into these encryption functions later because there are a few different version to cover.\r\nEncryption - SMB Scanner\r\nThe malware is written in C++, and there is a class called smb_scanner. The SMB function tries SMB scanning to\r\nfind\r\nAdapter names and address ranges on the adapter\r\nNetServers’s IP addresses and machine names on the server using NetServerEnum.\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 12 of 21\n\nThe result value is a buffer of all the SMB folders in string form.\r\nThen, it goes through a while loop calling a function to encrypt these SMB folders, so I label this encryption\r\nfunction as smb_encrypt(). I actually have not set up SMB on my virtual machine, so when I ran this, I did not\r\nknow if it could actually encrypt SMB folders or not…\r\nEncryption - Large Files\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 13 of 21\n\nThe malware has a specific method of looking for large files and then begins to encrypt them right after the SMB\r\nencryption.\r\nThe malware author called this encryting function encrypt_large_file(), so I just went along with it. Seems like it’s\r\nthe same as most of the other encrypting functions except that it has extra stuff to account for the file size. The\r\ncore of this function still boils down to an AES encryption.\r\nAfter the encryption, it will rename the encrypted file to the same name but with the extension .mouse and\r\noverwrite the file buffer with this newly encrypted buffer.\r\nEncryption - Everything Else\r\nAfter the large file encryption, RegretLocker goes into a while loop to encrypt everything else with\r\nsmall_encrypt().\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 14 of 21\n\nsmall_encrypt() calls a wrapper function to navigate around directories and files before encrypting them. It\r\nspecifically looks out for these to avoid encrypting them.\r\nRegretLocker file\r\n.log\r\nHOW TO RESTORE FILES.TXT\r\nWindows folder\r\nProgramData\r\nMicrosoft\r\nSystem\r\nNext, it checks the file type. If the file type is FILE_ATTRIBUTE_DIRECTORY, it will calls a recursive\r\nencrypting function to recursively go through every layer inside the folder. If the file type is not a folder, it will\r\nsimply call the main encrypting function to encrypt it.\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 15 of 21\n\nInside of the recursive encrypting function, RegretLocker specifically looks for these file names to avoid\r\nencrypting them.\r\nCheat\r\nNotepad\r\nx96dbg\r\nHex Editor\r\ntor-lib.dll\r\n.mouse\r\nSince the drives are mounted, RegretLocker checks the file extension for “.vhd” in order to detect any virtual\r\ndrive. If found, it will call a function to open the virtual drive to start encrypting everything inside by recursively\r\ncalling back to the recursive function. The ransomware uses a series of calls to OpenVirtualDisk,\r\nAttachVirtualDisk, GetVirtualDiskPhysicalPath, FindFirstVolumeW, CreateFileW, DeviceIoControl,\r\nGetVolumePathNamesForVolumeNameW, and FindNextVolumeW to retrieve a list of file and folder names\r\ninside.\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 16 of 21\n\nIf the file is not a folder, it will just call the main encrypting function to encrypt it.\r\nThis function is divided into 2 condition blocks. If the file size is greater than 104857600 bytes or around 105MB,\r\nthe file is counted as a large file and will be encrypted with the encrypt_large_file() function. If it’s not, then\r\nRegretLocker proceeds to encrypt it using AES.\r\nThere is a catch here. If the encryption fails, it means the file is running or used by some process. For that case,\r\nRegretLocker will find the process that is currently using this file and attempt to terminate it. It’s accomplishing\r\nthis through the use of Restart Manager with these API calls.\r\nRmStartSession: Start a new session for Restart Manager\r\nRmRegisterResources: Registering the file to be encrypted as a resource\r\nRmGetList: Get the list of application of services/processes that are using this resource\r\nCreateToolhelp32Snapshot, Process32FirstW, and Process32NextW: Check all running processes for\r\ntheir ID, comparing with the processes above\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 17 of 21\n\nAfter getting the processes that are using the file, it checks for the name. If they match any of these, they will not\r\nbe added to the list and closed later.\r\nvnc\r\nssh\r\nmstsc\r\nSystem\r\nsvchost.exe\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 18 of 21\n\nRegretLocker then builds the command string taskkill /F /IM \\process_name and runs it with cmd.exe. This\r\ncommand basically just filters out the process with the given process name and terminates it.\r\nThe ransomware will continuously loop until it successfully closes the process. Then it will attempt the encryption\r\nagain.\r\nEncryption - AES\r\nThe core of the encrypting functions above are this one AES encrypting function. It basically just uses the\r\ngenerated AES key to encrypt the file with a series of calls to CryptAcquireContextA, CryptImportKey,\r\nCryptSetKeyParam, and CryptEncrypt, which is fairly standard.\r\nAfter the encryption, it will write this encrypted buffer back into the file with the new file extension .mouse. It\r\nwill also check the folder path to see if it has created the file HOW TO RESTORE FILES.TXT already and\r\ncreated one if it has not.\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 19 of 21\n\nYARA rule\r\nrule regretlocker {\r\nmeta:\r\ndescription = \"YARA rule for RegretLocker\"\r\nreference = \"http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\"\r\nauthor = \"@cPeterr\"\r\ntlp = \"white\"\r\nstrings:\r\n$str1 = \"tor-lib.dll\"\r\n$str2 = \"http://regretzjibibtcgb.onion/input\"\r\n$str3 = \".mouse\"\r\n$cmd1 = \"taskkill /F /IM \\\\\"\r\n$cmd2 = \"wmic SHADOWCOPY DELETE\"\r\n$cmd3 = \"wbadmin DELETE SYSTEMSTATEBACKUP\"\r\n$cmd4 = \"bcdedit.exe / set{ default } bootstatuspolicy ignoreallfailures\"\r\n$cmd5 = \"bcdedit.exe / set{ default } recoveryenabled No\"\r\n$func1 = \"open_virtual_drive()\"\r\n$func2 = \"smb_scanner()\"\r\n$checklarge = { 81 fe 00 00 40 06 }\r\ncondition:\r\nall of ($str*) and any of ($cmd*) and any of ($func*) and $checklarge\r\n}\r\nSamples\r\nI got my samples from Any.Run and tutorialjinni.com!\r\nReferences\r\nhttps://twitter.com/VK_Intel/status/1323693700371914753\r\nhttps://twitter.com/malwrhunterteam/status/1321375502179905536 https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 20 of 21\n\nSource: http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/"
	],
	"report_names": [
		"RegretLocker"
	],
	"threat_actors": [],
	"ts_created_at": 1775434871,
	"ts_updated_at": 1775791331,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f01a1e94d7acdcec5bd96adffda56e1a525eea1.pdf",
		"text": "https://archive.orkl.eu/7f01a1e94d7acdcec5bd96adffda56e1a525eea1.txt",
		"img": "https://archive.orkl.eu/7f01a1e94d7acdcec5bd96adffda56e1a525eea1.jpg"
	}
}