How to remove RegretLocker ransomware on Windows 10

Reading time icon 2 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Key notes

How to remove RegretLocker ransomware on Windows 10

RegretLocker is a recently identified malicious software and classified as ransomware. Recently, it started to target Windows 10.

All systems infected with this ransomware have their data encrypted and all of the affected files are appended with the .mouse extension.

For example, a regular 1.jpg file would appear as 1.jpg.mouse. After the encryption process is complete, ransom notes titled How to restore files.txt are dropped into compromised folders.

Moreover, users receive ransom demands for the decryption. The issue is now affecting Windows Hyper-V virtual machine as well.

In this case, a virtual hard disk is created and stored in a VHD or VHDX file, containing a raw disk image, including a drive’s partition table and partitions.

How can I remove RegretLocker ransomware on Windows 10?

remove RegretLocker
  1. Press the Power button at the Windows login screen. Then, press and hold Shift, and click Restart.
  2. You can now select Troubleshoot > Advanced options > Startup Settings.
  3. Then, press Restart once again.
  4. Once your PC is active, select Enable Safe Mode with Command Prompt.
  5. Up next, enter cd restore and click Enter.
  6. Type rstrui.exe and press Enter again.
  7. When a new window appears, click Next and select a restore point that is prior to the infiltration of RegretLocker.
  8. After doing that, click Next.
  9. Finally, click Yes to confirm the system restore.

In order to remove RegretLocker ransomware on Windows 10, you simply need to apply the above steps. The code used by RegretLocker may have its source from a recently published security research.

When it comes to the affected Windows Hyper-V virtual machines, RegretLocker uses the Windows Virtual Storage API OpenVirtualDisk, AttachVirtualDisk, as well as GetVirtualDiskPhysicalPath functions to easily mount and compromise virtual disks.

Also, the Windows Restart Manager API is involved in the process, to terminate Windows services that keep a file open during encryption.

Have you been affected by the RegretLocker ransomware? Let us know if the above procedure proved to be useful in your case too.

[wl_navigator]

More about the topics: Ransomware

User forum

0 messages