This Is A New One…. Microsoft BitLocker Is Being Used In Ransomware Attacks

If you’re not familiar with Microsoft BitLocker, it’s the native full disk encryption product for Microsoft Windows. But only the business and enterprise versions. The consumer versions of Windows 10 and 11 don’t have this feature. Enterprises around the world use this as a way to encrypt the data on their hard drive for security reasons. But it appears that threat actors are also using this to launch ransomware attacks according to Microsoft:

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This blog profiles the tactics and techniques behind the DEV-0270/PHOSPHORUS ransomware campaigns. We hope this analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the expansion of DEV-0270’s operations.

DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.

In some instances where encryption was successful, the time to ransom (TTR) between initial access and the ransom note was around two days. The group has been observed demanding USD 8,000 for decryption keys. In addition, the actor has been observed pursuing other avenues to generate income through their operations. In one attack, a victim organization refused to pay the ransom, so the actor opted to post the stolen data from the organization for sale packaged in an SQL database dump.

I have to admit that this is novel as the threat actors are using built in tools to pwn their targets. The Microsoft report has mitigation strategies that you should read and implement. Because it seems that we’re going to hear more from this in the weeks and months to come.

Leave a Reply

%d bloggers like this: