RegretLocker - compiled information, activity and samples
RegretLocker is a ransomware targeting Windows systems, identified in late 2020. It employs evasion techniques by checking for a specific username and PC name ("WIN-295748OMAKG") and exits if matched, likely to avoid analysis. Persistence is maintained by scheduling itself as a Windows Scheduled Task named "Mouse Application" running every minute. The malware is distributed via a public URL and communicates with a known IP address, possibly for command and control. No known exploits or widespread active campaigns have been reported, but its ransomware capabilities pose risks of data encryption, operational disruption, and financial loss. Detection may be hindered by its evasion and persistence mechanisms. European organizations, especially in Germany, France, the UK, Italy, Spain, the Netherlands, and Poland, are considered likely targets due to market penetration and strategic importance. Mitigations include monitoring scheduled tasks, blocking malicious URLs and IPs, behavioral detection, application whitelisting, and maintaining offline backups. The threat is assessed as medium severity given its moderate impact and exploitation complexity.
AI Analysis
Technical Summary
RegretLocker is a ransomware family discovered in late 2020 that targets Windows operating systems without specific version constraints. The malware incorporates unique evasion techniques, notably performing checks against a particular username and PC name ("WIN-295748OMAKG"); if either matches, the malware terminates immediately, likely to avoid execution in controlled or analysis environments. Persistence is achieved by creating a Windows Scheduled Task named "Mouse Application" that runs every minute using the Schtasks.exe utility invoked through cmd.exe and ShellExecuteA, ensuring continuous execution and complicating removal efforts. The malware is distributed via a publicly accessible URL (http://344744.cloud4box.ru/files/locker/locker.exe) and communicates with an IP address (109.248.203.209), which may serve as command and control infrastructure or for data exfiltration. Although there are no known exploits actively used in the wild or widespread campaigns, the malware demonstrates moderate sophistication with a threat level and analysis rating of 2. No patches or affected Windows versions are specified, suggesting broad targeting. Technical analyses and reverse engineering reports provide insights into its behavior, but public data on its prevalence and impact remain limited. Overall, RegretLocker represents a ransomware threat with evasion and persistence capabilities that could disrupt operations and compromise data confidentiality if deployed effectively.
Potential Impact
For European organizations, RegretLocker presents a moderate risk primarily through its ransomware functionality, which can encrypt critical data, causing operational disruption and potential financial losses from ransom payments or recovery efforts. Its persistence mechanism via scheduled tasks allows it to maintain a foothold on infected systems, increasing potential downtime and complicating incident response and remediation. The evasion technique of checking for specific usernames and PC names may hinder detection by security tools, delaying response and increasing damage potential. Although no active exploitation campaigns are currently documented, the availability of a public payload and associated command and control infrastructure indicates potential for targeted or opportunistic attacks. Organizations handling sensitive or critical data could face confidentiality breaches if data exfiltration occurs prior to encryption. Operational impacts include loss of data availability, reputational damage, and increased complexity in incident handling. Given the medium severity and limited exploitation evidence, the immediate threat level is moderate but could escalate if threat actors adopt or evolve this malware to target European entities more aggressively.
Mitigation Recommendations
European organizations should implement specific measures beyond generic ransomware defenses to mitigate RegretLocker risks: 1) Monitor and restrict the creation and execution of scheduled tasks, especially those named "Mouse Application" or tasks invoking Schtasks.exe at frequent intervals, to disrupt the malware's persistence mechanism. 2) Deploy behavioral detection capabilities to identify malware performing environment checks for specific usernames or PC names, enabling early detection of evasion attempts. 3) Block network access to known malicious URLs and IP addresses associated with RegretLocker, such as http://344744.cloud4box.ru/files/locker/locker.exe and IP 109.248.203.209, using firewalls, web proxies, and DNS filtering. 4) Conduct proactive threat hunting focused on identifying unusual scheduled tasks and persistence artifacts indicative of RegretLocker infection. 5) Harden endpoint security by enforcing application whitelisting and restricting execution privileges to prevent unauthorized binaries from running. 6) Maintain offline, regularly tested backups to ensure rapid recovery without paying ransom. 7) Educate users on phishing risks and suspicious downloads, as initial infection vectors are likely social engineering-based. 8) Engage with threat intelligence sharing platforms to stay updated on RegretLocker developments and emerging indicators of compromise.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
Indicators of Compromise
- text: WIN-295748OMAKG
- link: http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/
- link: https://twitter.com/VK_Intel/status/1323693700371914753
- link: https://twitter.com/malwrhunterteam/status/1321375502179905536
- link: https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf
- link: https://app.any.run/tasks/e19eff7c-6d0f-4b09-95da-23f6ab465bb1/
- url: http://344744.cloud4box.ru/files/locker/locker.exe
- ip: 109.248.203.209
- windows-scheduled-task: Mouse Application
RegretLocker - compiled information, activity and samples
Description
RegretLocker is a ransomware targeting Windows systems, identified in late 2020. It employs evasion techniques by checking for a specific username and PC name ("WIN-295748OMAKG") and exits if matched, likely to avoid analysis. Persistence is maintained by scheduling itself as a Windows Scheduled Task named "Mouse Application" running every minute. The malware is distributed via a public URL and communicates with a known IP address, possibly for command and control. No known exploits or widespread active campaigns have been reported, but its ransomware capabilities pose risks of data encryption, operational disruption, and financial loss. Detection may be hindered by its evasion and persistence mechanisms. European organizations, especially in Germany, France, the UK, Italy, Spain, the Netherlands, and Poland, are considered likely targets due to market penetration and strategic importance. Mitigations include monitoring scheduled tasks, blocking malicious URLs and IPs, behavioral detection, application whitelisting, and maintaining offline backups. The threat is assessed as medium severity given its moderate impact and exploitation complexity.
AI-Powered Analysis
Technical Analysis
RegretLocker is a ransomware family discovered in late 2020 that targets Windows operating systems without specific version constraints. The malware incorporates unique evasion techniques, notably performing checks against a particular username and PC name ("WIN-295748OMAKG"); if either matches, the malware terminates immediately, likely to avoid execution in controlled or analysis environments. Persistence is achieved by creating a Windows Scheduled Task named "Mouse Application" that runs every minute using the Schtasks.exe utility invoked through cmd.exe and ShellExecuteA, ensuring continuous execution and complicating removal efforts. The malware is distributed via a publicly accessible URL (http://344744.cloud4box.ru/files/locker/locker.exe) and communicates with an IP address (109.248.203.209), which may serve as command and control infrastructure or for data exfiltration. Although there are no known exploits actively used in the wild or widespread campaigns, the malware demonstrates moderate sophistication with a threat level and analysis rating of 2. No patches or affected Windows versions are specified, suggesting broad targeting. Technical analyses and reverse engineering reports provide insights into its behavior, but public data on its prevalence and impact remain limited. Overall, RegretLocker represents a ransomware threat with evasion and persistence capabilities that could disrupt operations and compromise data confidentiality if deployed effectively.
Potential Impact
For European organizations, RegretLocker presents a moderate risk primarily through its ransomware functionality, which can encrypt critical data, causing operational disruption and potential financial losses from ransom payments or recovery efforts. Its persistence mechanism via scheduled tasks allows it to maintain a foothold on infected systems, increasing potential downtime and complicating incident response and remediation. The evasion technique of checking for specific usernames and PC names may hinder detection by security tools, delaying response and increasing damage potential. Although no active exploitation campaigns are currently documented, the availability of a public payload and associated command and control infrastructure indicates potential for targeted or opportunistic attacks. Organizations handling sensitive or critical data could face confidentiality breaches if data exfiltration occurs prior to encryption. Operational impacts include loss of data availability, reputational damage, and increased complexity in incident handling. Given the medium severity and limited exploitation evidence, the immediate threat level is moderate but could escalate if threat actors adopt or evolve this malware to target European entities more aggressively.
Mitigation Recommendations
European organizations should implement specific measures beyond generic ransomware defenses to mitigate RegretLocker risks: 1) Monitor and restrict the creation and execution of scheduled tasks, especially those named "Mouse Application" or tasks invoking Schtasks.exe at frequent intervals, to disrupt the malware's persistence mechanism. 2) Deploy behavioral detection capabilities to identify malware performing environment checks for specific usernames or PC names, enabling early detection of evasion attempts. 3) Block network access to known malicious URLs and IP addresses associated with RegretLocker, such as http://344744.cloud4box.ru/files/locker/locker.exe and IP 109.248.203.209, using firewalls, web proxies, and DNS filtering. 4) Conduct proactive threat hunting focused on identifying unusual scheduled tasks and persistence artifacts indicative of RegretLocker infection. 5) Harden endpoint security by enforcing application whitelisting and restricting execution privileges to prevent unauthorized binaries from running. 6) Maintain offline, regularly tested backups to ensure rapid recovery without paying ransom. 7) Educate users on phishing risks and suspicious downloads, as initial infection vectors are likely social engineering-based. 8) Engage with threat intelligence sharing platforms to stay updated on RegretLocker developments and emerging indicators of compromise.
Affected Countries
Technical Details
- Threat Level
- 2
- Analysis
- 2
Indicators of Compromise
Text
| Value | Description | Copy |
|---|---|---|
textWIN-295748OMAKG | The malware writter has 2 weird checks to check for a particular user name and PC name(WIN-295748OMAKG). If the user name or the PC name matches, the malware will exit immediately. |
Link
| Value | Description | Copy |
|---|---|---|
linkhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/ | — | |
linkhttps://twitter.com/VK_Intel/status/1323693700371914753 | — | |
linkhttps://twitter.com/malwrhunterteam/status/1321375502179905536 | — | |
linkhttps://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf | — | |
linkhttps://app.any.run/tasks/e19eff7c-6d0f-4b09-95da-23f6ab465bb1/ | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://344744.cloud4box.ru/files/locker/locker.exe | Source url |
Ip
| Value | Description | Copy |
|---|---|---|
ip109.248.203.209 | — |
Windows scheduled-task
| Value | Description | Copy |
|---|---|---|
windows-scheduled-taskMouse Application | Next, it also schedules the malware as a task every minite using this Schtasks.exe command, which is run from cmd.exe using ShellExecuteA. |
Threat ID: 6828eab8e1a0c275ea6e1ed1
Added to database: 5/17/2025, 7:59:52 PM
Last enriched: 12/24/2025, 6:09:09 AM
Last updated: 2/7/2026, 5:41:39 AM
Views: 42
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.