ShtëpiMenaxhimi i riskutShrinkLocker: Turning BitLocker into ransomware - Source: securelist.com

ShrinkLocker: Turning BitLocker into ransomware – Source: securelist.com

Publikuar më

spot_img

In a recent incident response engagement, a clever technique involving the misuse of the native BitLocker feature to encrypt entire volumes and steal decryption keys was identified. Attackers deployed an advanced VBS script that exploited BitLocker for unauthorized file encryption. The script was detected in various regions including Mexico, Indonesia, and Jordan. A detailed analysis of the malicious code revealed the tactics used by the threat actors and provided insights for mitigating such threats.

The attackers did not obfuscate the code, indicating they had full control of the target system when the script was executed. The script utilized Windows Management Instrumentation (WMI) to gather system information and identified specific Windows versions to determine further actions. It performed disk resizing operations on fixed drives by shrinking non-boot partitions, creating new primary partitions, and formatting them with specific settings. The script also made registry modifications to enable various security features and encryption options.

Further analysis exposed the script’s networking capabilities, as it created an HTTP POST request object to communicate with a Command and Control (C2) server. The script included details about the machine and generated encryption keys to be sent in the request. The attackers used obfuscation techniques with a legitimate domain trycloudflare.com to obscure their actual address.

Additionally, the script covered its tracks by removing BitLocker protectors, deleting certain files and registry entries, clearing logs, disabling system firewalls, and creating a forced shutdown. The recovery process for decrypting affected systems proved challenging due to unique variable values, making it difficult to obtain consistent decryption keys.

To mitigate such threats, it is advised to use robust Endpoint Protection Platforms (EPP), implement Managed Detection and Response (MDR) services, maintain strong BitLocker passwords, restrict user privileges, monitor network traffic, log PowerShell and VBS activity, backup data regularly, and store backups offline. Behavioral analysis for threat detection is vital in such scenarios where traditional rule-based methods may fail.

Our incident response and malware analysis provided insights into the evolving tactics used by threat actors to evade detection and carry out malicious activities. Kaspersky products are equipped to detect this threat with specific verdicts related to Trojan and Ransomware activities.

Indicators of compromise such as specific URLs, email addresses, and MD5 hashes have been identified for tracking malicious activities. Organizations are encouraged to remain vigilant and implement proactive security measures to defend against such sophisticated threats.

Lidhja e burimit

Artikujt e fundit

The Cybersecurity Game of Cat and Mouse

In the ever-evolving landscape of cybersecurity, the battle between threat actors and defenders continues...

Spy agencies describe ramped up election influence in latest check-in

U.S. intelligence agencies have issued a warning that foreign actors are intensifying their efforts...

How I Responded to Hackers Targeting Me – AARP

When faced with a cyber attack, many people may feel overwhelmed and unsure of...

September 2024 Patch Tuesday forecast: Downgrade is the new exploit

In the latest Patch Tuesday update for August 2024, Microsoft released a limited set...

Më shumë si kjo

The Cybersecurity Game of Cat and Mouse

In the ever-evolving landscape of cybersecurity, the battle between threat actors and defenders continues...

Spy agencies describe ramped up election influence in latest check-in

U.S. intelligence agencies have issued a warning that foreign actors are intensifying their efforts...

How I Responded to Hackers Targeting Me – AARP

When faced with a cyber attack, many people may feel overwhelmed and unsure of...
sqAlbanian