A new sophisticated form of ransomware that uses advanced techniques to encrypt virtual hard drives and close open files for encryption has been detected.
In terms of appearance, it does not contain a long-winded ransom note and uses email for communication. The ransomware targets explicitly Windows virtual machines. It uses an interesting technique of mounting a virtual disk file so each of its files can be encrypted individually. It uses the Windows Virtual Storage API OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath functions to mount virtual disks for encryption.
The ransomware also taps into Windows Restart Manager API to terminate processes or Windows services that keep files open during encryption.