RegretLocker – this new ransomware can meddle with your virtual hard drives

Welcome to the next episode of the Xopero Security Center! This time we shed some light on RegretLocker. This new ransomware is quite a sophisticated threat. It uses advanced techniques to compromise Windows virtual machines first, then encrypts virtual hard drives. How exactly? Check below.

The last regret of a Windows user has a new name – RegretLocker

A new ransomware called RegretLocker uses a variety of advanced features that allows it to encrypt virtual hard drives and close open files for encryption.

RegretLocker is a simple ransomware in terms of appearance. When encrypting files, it will append the innocuous-sounding .mouse extension to encrypted file names. What it lacks in appearance, though, it makes up for in advanced features that we do not usually see in ransomware infections.

When creating a Windows Hyper-V virtual machine, a virtual hard disk is created and stored in a VHD or VHDX file. These virtual hard disk files contain a raw disk image, including a drive’s partition table and partitions, and like regular disk drives, can range in size from a few gigabytes to terabytes.

When a ransomware encrypts files on a computer, it is not efficient to encrypt a large file as it slows down the entire encryption process’s speed. RegretLocker uses an interesting technique of mounting a virtual disk file so each of its files can be encrypted individually. To do this, RegretLocker uses the Windows Virtual Storage API OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath functions to mount virtual disks. Once the virtual drive is mounted as a physical disk in Windows, the ransomware can encrypt each one individually, which increases the speed of encryption.

In addition to using the Virtual Storage API, RegretLocker also utilizes the Windows Restart Manager API to terminate processes or Windows services that keep a file open during encryption. But if the name of a process contains ‘vnc’, ‘ssh’, ‘mstsc’, ‘System’, or ‘svchost.exe’, the ransomware will not terminate it. This exception list is likely used to prevent the termination of critical programs or those used by the threat actor to access the compromised system.

RegretLocker looks to be worth to keep an eye on.


Git LFS vulnerability allows attackers to compromise targets’ Windows systems

Git Large File Storage (Git LFS) is an open source Git extension for versioning large files. One with quite a large community too. Dawid Golunski a Security Research and founder of the ExploitBox discovered a serious vulnerability (CVE-2020-27955) which allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker’s malicious repository – using a vulnerable Git version control tool.

It can be exploited in a variety of popular Git clients in their default configuration – GitHub CLI, GitHub Desktop, SmartGit, SourceTree, GitKraken, Visual Studio Code, etc. – and likely other clients/development IDEs (i.e., those install git with the Git LFS extension by default).

Git LFS does not specify a full path to git binary when executing a new git process via a specific exec.Command() function.

As the exec.Command() implementation on Windows systems include the current directory, attackers may be able to plant a backdoor in a malicious repository by simply adding an executable file named: git.bat, git.exe, git.cmd or any other extension that is used on the victim’s system (PATHEXT environment dependent), in the main repo’s directory. As a result, the malicious git binary planted in this way will get executed instead of the original git binary located in a trusted path.” – explains Dawid Golunski.

The CVE-2020-27955 vulnerability is trivial to exploit. It can be triggered if the victim is tricked into cloning the attacker’s malicious repository using a vulnerable Git version control tool.

Affected users and product vendors are advised to update to the latest Git LFS version (v2.12.1), which plugged the security hole. Git for Windows has also been updated to include this Git LFS version.


REvil ransomware gang ‘acquires’ KPOT malware

REvil ransomware gang have “acquired” the source code of the KPOT information stealer trojan for $6,500 on the underground auction. The sale took place after the KPOT malware author decided to auction off the code, desiring to move off to other projects.

The sale was organized as a public auction on a private underground hacking forum for Russian-speaking cyber-criminals. The only bidder was UNKN, a well-known member of the REvil (Sodinokibi) ransomware gang, said security researcher Pancak3. UNKN paid the initial asking price of $6,500, while other forum members declined to participate, citing the steep asking price.

Pancak3, who first spotted the KPOT auction in mid-October, told that he believes the REvil gang bought KPOT to “further develop it” and add it to its considerable arsenal of hacking tools the gang uses during its targeted intrusions inside corporate networks.

First spotted in 2018, KPOT is a classic “information stealer” that can extract and steal passwords from various apps on infected computers. This includes web browsers, instant messengers, email clients, VPNs, RDP services, FTP apps, cryptocurrency wallets, and gaming software, according to a 2019 Proofpoint report.

Although many other forum members have described the KPOT code as overpriced, UNKN and the REvil gang have money to spare. The member claimed in an interview that the REvil gang makes more than $100 million from ransom demands each year. 


GrowDiaries Exposes Emails, Passwords of 1.4M Cannabis Growers

A database linked to GrowDiaries, an online community of cannabis growers, has exposed more than a million users’ email addresses, passwords, IP address records and posts – all together, 3.4 million records. Many from countries where pot is illegal.

GrowDiaries is a robust online community of cannabis growing enthusiasts from around the world, where they can share tips, tricks and pictures of their progress. On Oct. 10, researcher Volodymyr “Bob” Diachenko found a database linked to GrowDiaries with 1.4 million email and IP address records, along with an additional 2 million user posts, left accessible online. 

These 2 million posts were protected by passwords, but Diachenco found GrowDiaries was using MD5 to hash out passwords, which is easily compromised and leaves members vulnerable to malicious actors, according to Diachenko.

“Many users appear to be from locations where growing and using marijuana is not legal,” Diachenko wrote. “They could face legal repercussions or possibly extortion if their growing activities come to light.”’

In Malaysia, selling drugs is punishable by death and a possession conviction in countries including Dubai, Singapore, The Philippines and many others, often comes with a lengthy prison stay.

Diachenko said, GrowDiaries members should be on the lookout for phishing attacks and to update passwords across all platforms because the compromised credentials could be used in “stuffing” attacks, which he explains involves automated bots plugging in stolen passwords and usernames in various combinations in an attempt to breach other apps and sites.

After reporting the vulnerability, GrowDiaries asked for additional details and by Oct. 15, the data had been secured.


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Games in Microsoft Store Can Be Abused for Privilege Escalation on Windows (Security Week)
2. Apple search bot leaked internal IPs via proxy configuration (Bleeping Computer)
3. Malicious npm package opens backdoors on programmers’ computers (ZDNet)
4. Mysterious APT Leaves Curious ‘KilllSomeOne’ Clue (ThreatPost)
5. Zoom Snooping: How Body Language Can Spill Your Password (Threat Post)
6. Multiple JavaScript vulnerabilities in Adobe Acrobat Reader (Tallos Intelligence)
7. Containers for Data Analysis Are Rife With Vulnerabilities (Dark Reading)
8. Mattel Reveals July Ransomware Attack Impacting Business (Infosecurity Magazine)
9. Sneaky Office 365 phishing inverts images to evade detection (Bleeping Computer)
10. 23,600 hacked databases have leaked from a defunct ‘data breach index’ site (ZDNet)