ShrinkLocker: Turning BitLocker into Ransomware

Introduction

Attackers are continually developing sophisticated techniques to bypass defensive measures and achieve their goals. One highly effective approach involves exploiting the operating system's native features to evade detection and ensure compatibility. In the realm of ransomware threats, this can be seen in the use of the cryptographic functions within ADVAPI32.dll, such as CryptAcquireContextA, CryptEncrypt, and CryptDecrypt. By leveraging these functions, adversaries can execute malware that appears to mimic normal system behavior across various OS versions that support this DLL.

However, a recent incident has highlighted an even more cunning tactic: utilizing the native BitLocker feature to encrypt entire volumes and exfiltrate the decryption key. Originally designed to protect data on lost or stolen devices, BitLocker is now being repurposed by threat actors for malicious ends. This incident involved deploying an advanced VBS script to manipulate BitLocker for unauthorized encryption, impacting systems in Mexico, Indonesia, and Jordan. In this report, we analyze the malicious code and offer mitigation strategies to counter such threats.

VBScript Analysis

Code and Execution

The malicious script, stored at C:\ProgramData\Microsoft\Windows\Templates\Disk.vbs, initiates by converting a string to binary using an ADODB.Stream object for encoding data sent via HTTP POST requests. The script uses Windows Management Instrumentation (WMI) to gather system information and determines if it should proceed based on the OS version and domain status.

Initial Conditions for Execution

The script terminates if the OS is outdated (Windows XP, 2000, 2003, or Vista) or if the domain does not match the target. It then focuses on fixed drives (DriveType = 3), avoiding network drives to prevent detection by network security tools.

Disk Resizing Operations

The script performs disk resizing operations differently based on the OS version. For Windows Server 2008 and 2012, it shrinks non-boot partitions by 100 MB, formats the new partitions, and reinstalls boot files using bcdboot. For Windows 7, 8, and 8.1, similar operations are implemented with different code.

Registry Modifications

The script modifies several registry entries to configure BitLocker, including enabling BitLocker without TPM, requiring a startup PIN, and enforcing other security measures. These modifications are crucial for enabling BitLocker encryption on the target drives.

BitLocker Activation

After deleting existing BitLocker protectors to prevent recovery, the script generates a 64-character encryption key using a combination of system-specific data and sends this key to the attacker via an HTTP POST request. It then enables BitLocker using the generated key.

Covering Tracks

The script deletes itself and related files, clears PowerShell logs, reconfigures the firewall, and performs a system shutdown, leaving the victim with an encrypted system demanding a ransom.

Tactics, Techniques, and Procedures (TTPs)

The threat actor's extensive knowledge of VBScript, Windows internals, and utilities like WMI, diskpart, and bcdboot is evident. The following TTPs were identified:

Artifacts and Digital Forensics

The script's self-cleaning measures and drive encryption made forensic analysis challenging. However, some secure strings and network logs were obtained, providing critical insights into the attack. Ensuring comprehensive logging of both GET and POST requests is essential for detecting and analyzing such threats.

Recovery

Decrypting the affected systems proved difficult due to the variable nature of the encryption keys. While some passphrases were recovered, the unique values for each system complicated the decryption process.

Mitigations

Conclusion

Our incident response and malware analysis demonstrate that attackers continuously refine their tactics to evade detection. In this incident, the abuse of the native BitLocker feature for unauthorized encryption underscores the need for behavioral analysis to detect such threats. Organizations must adopt a proactive and comprehensive approach to cybersecurity, ensuring foresight in identifying and mitigating evolving threats.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.