New Ransomware is Hijacking Windows BitLocker to Encrypt & Steal files

Attackers are abusing legitimate functions within the OS for malicious purposes, as a recent incident involved ransomware leveraging BitLocker to encrypt drives. 

The attackers deployed VBScript to exploit BitLocker and steal the decryption key, rendering data inaccessible, which has been observed in multiple locations and demonstrates a cunning way to bypass security measures while maintaining compatibility across various systems. 

The VBScript analyzed appears to be malware targeting specific Windows systems, as it leverages WMI to gather OS information and only executes on certain versions (XP, 2000, 2003, Vista) while avoiding network drives. 

Stream_StringToBinary function

The script first converts strings to binary for potential data exfiltration, then queries local disks (excluding removable and network ones) and attempts to shrink non-boot partitions by 100 MB. 

It creates an unallocated space, which the script splits into new 100 MB partitions, formats, assigns drive letters, and activates, where the lack of obfuscation suggests the attackers already controlled the system. 

Initial conditions for execution

The code shrinks a disk partition, modifies the system to enforce stricter security measures, and leverages the bcdboot utility to reinstall boot files on the newly created partition. 

Boot files reinstall

The script then modifies registry entries to disable Remote Desktop Protocol (RDP) connections and enforce smart card authentication. 

Additionally, it enables BitLocker Drive Encryption and allows for various authentication methods, including TPM and PIN, as the malware checks for specific BitLocker services and starts them if necessary.  

Registry modifications

According to Secure List, the malicious script modifies the drive label and deletes BitLocker protectors to disable data recovery, then generates a random encryption key and enables BitLocker with password protection. 

Protectors deletion

The script sends information about the machine and the password to the attacker’s server. To cover its tracks, the script deletes related files, clears event logs, enables firewalls, deletes firewall rules, and deletes scheduled tasks. Finally, it forces a shutdown and the victim is presented with a BitLocker screen without recovery options. 

BitLocker recovery screen

The attacker used VBScript, PowerShell, and Windows Management Instrumentation for execution. The attack led to data encryption and a system shutdown/reboot, and to evade defense, the attacker cleared Windows event logs, modified the registry, and disabled the firewall. 

Secure strings obtained

Third-party service logs helped identify the encryption keys, while network logs were not helpful because POST requests were not being logged. Unaffected systems were found to be lacking BitLocker encryption, which allowed further analysis.

Decrypting attacker-encrypted systems is partially feasible because we can recover some of their encryption key components (passphrases and fixed values). However, the script also uses variable values unique to each system, hindering decryption due to the added complexity. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here