New ransomware group abusing BitLocker

May 23, 2024, 3:24 p.m.

Description

The report examines an incident where threat actors leveraged Microsoft's BitLocker encryption utility to deploy unauthorized file encryption on targeted systems. The adversaries employed a sophisticated VBScript that resized disk partitions, modified registry entries, enabled BitLocker with randomized encryption keys, and exfiltrated the keys to a command-and-control server. The analysis provides insights into the malware's tactics, techniques, procedures, artifacts, and potential recovery methods, highlighting the creative abuse of legitimate system features by cybercriminals.

External References

https://securelist.com/ransomware-abuses-bitlocker/112643/
https://otx.alienvault.com/pulse/664f5785750584c6733d237a
Tags
ransomware
exfiltration
encryption
2024-05-23
bitlocker
trojan-ransom.vbs.bitlock.gen
trojan.vbs.sagent.gen
trojan.win32.generic
partitions

Date

  • Created: May 23, 2024, 2:49 p.m.
  • Published: May 23, 2024, 2:49 p.m.
  • Modified: May 23, 2024, 3:24 p.m.

Indicators

  • https://earthquake-js-westminster-searched.trycloudflare.com:443/updatelog
  • https://generated-eating-meals-top.trycloudflare.com/updatelogead
  • https://generated-eating-meals-top.trycloudflare.com/updatelog
  • https://scottish-agreement-laundry-further.trycloudflare.com/updatelog
  • conspiracyid9@protonmail.com
  • onboardingbinder@proton.me
Download all indicators here!

Attack Patterns

  • Trojan.Win32.Generic
  • Trojan-Ransom.VBS.BitLock.gen
  • Trojan.VBS.SAgent.gen
  • T1562.004
  • T1070.001
  • T1059.005
  • T1059.001
  • T1529
  • T1486
  • T1047
  • T1112
  • T1041

Additional Informations

  • Jordan
  • Indonesia
  • Mexico

Linked vulnerabilities

CVE-2024-30051

7.8
    Windows DWM Core Library
Published: May 14, 2024