New ransomware group abusing BitLocker
May 23, 2024, 3:24 p.m.
Tags
External References
Description
The report examines an incident where threat actors leveraged Microsoft's BitLocker encryption utility to deploy unauthorized file encryption on targeted systems. The adversaries employed a sophisticated VBScript that resized disk partitions, modified registry entries, enabled BitLocker with randomized encryption keys, and exfiltrated the keys to a command-and-control server. The analysis provides insights into the malware's tactics, techniques, procedures, artifacts, and potential recovery methods, highlighting the creative abuse of legitimate system features by cybercriminals.
Date
Published: May 23, 2024, 2:49 p.m.
Created: May 23, 2024, 2:49 p.m.
Modified: May 23, 2024, 3:24 p.m.
Indicators
https://earthquake-js-westminster-searched.trycloudflare.com:443/updatelog
https://generated-eating-meals-top.trycloudflare.com/updatelogead
https://generated-eating-meals-top.trycloudflare.com/updatelog
https://scottish-agreement-laundry-further.trycloudflare.com/updatelog
conspiracyid9@protonmail.com
onboardingbinder@proton.me
Attack Patterns
Trojan.Win32.Generic
Trojan-Ransom.VBS.BitLock.gen
Trojan.VBS.SAgent.gen
T1562.004
T1070.001
T1059.005
T1059.001
T1529
T1486
T1047
T1112
T1041
CVE-2024-30051
Additional Informations
Jordan
Indonesia
Mexico