New ransomware group abusing BitLocker

May 23, 2024, 3:24 p.m.

Tags
ransomware
exfiltration
encryption
2024-05-23
bitlocker
trojan-ransom.vbs.bitlock.gen
trojan.vbs.sagent.gen
trojan.win32.generic
partitions
External References
Description

The report examines an incident where threat actors leveraged Microsoft's BitLocker encryption utility to deploy unauthorized file encryption on targeted systems. The adversaries employed a sophisticated VBScript that resized disk partitions, modified registry entries, enabled BitLocker with randomized encryption keys, and exfiltrated the keys to a command-and-control server. The analysis provides insights into the malware's tactics, techniques, procedures, artifacts, and potential recovery methods, highlighting the creative abuse of legitimate system features by cybercriminals.

Date

Published: May 23, 2024, 2:49 p.m.

Created: May 23, 2024, 2:49 p.m.

Modified: May 23, 2024, 3:24 p.m.

Indicators

https://earthquake-js-westminster-searched.trycloudflare.com:443/updatelog

https://generated-eating-meals-top.trycloudflare.com/updatelogead

https://generated-eating-meals-top.trycloudflare.com/updatelog

https://scottish-agreement-laundry-further.trycloudflare.com/updatelog

conspiracyid9@protonmail.com

onboardingbinder@proton.me

Download all indicators here!

Attack Patterns

Trojan.Win32.Generic

Trojan-Ransom.VBS.BitLock.gen

Trojan.VBS.SAgent.gen

T1562.004

T1070.001

T1059.005

T1059.001

T1529

T1486

T1047

T1112

T1041

CVE-2024-30051

Additional Informations

Jordan

Indonesia

Mexico