Two sentences summarizing the article: Threat actors repurpose BitLocker to encrypt drives and exfiltrate decryption data using a self-contained VBScript/VBS-based tool, leveraging Windows internals (WMI, diskpart, bcdboot) to resize, re-partition, and reinstall boot files while avoiding detection. The operation includes key generation, key theft, data exfiltration via HTTP POST, and extensive anti-forensic steps to cover tracks. #BitLocker #ShrinkLocker #SAgent #trycloudflare #VBScript
Keypoints
- Attackers abuse BitLocker Drive Encryption to encrypt drives and demand ransom, including stealing the decryption key.
- A VBScript-based payload uses Windows internals (WMI, diskpart, bcdboot) to detect OS version, resize local drives, create unallocated space, and reformat partitions.
- The malware disables and/or bypasses security controls by modifying the registry and implementing BitLocker configurations that bypass TPM requirements.
- Registry changes enable non-TPM BitLocker usage, PIN usage, and various TPM-related startup options, with automatic reboots if errors occur.
- The attacker collects system data and the generated 64-character encryption key, then exfiltrates this information via HTTP POST to a C2 hosted on trycloudflare domains.
- The threat actor deletes PowerShell logs, clears event logs, disables or alters firewall rules, and deletes execution artifacts to hinder forensics and enable a forced shutdown.
- MITRE techniques mapped include VBScript execution, WMI, PowerShell, data encryption, system shutdown, log clearing, registry modification, firewall changes, and exfiltration over web services.
MITRE Techniques
- [T1059.005] Command and Scripting Interpreter: Visual Basic โ The analysis shows extensive VBScript usage and Windows internals expertise. โThe analysis showed that this threat actor has an extensive understanding of the VBScript language, and Windows internals and utilities, such as WMI, diskpart, and bcdboot.โ
- [T1047] Windows Management Instrumentation โ The script uses WMI to query OS information via the Win32_OperatingSystem class. โThe first step by the main function of the script is to use Windows Management Instrumentation (WMI) to query information about the operating system with the help of the Win32_OperatingSystem class.โ
- [T1059.001] Command and Scripting Interpreter: PowerShell โ The script relies on PowerShell for critical operations, including removing protectors. โand the script uses PowerShell to force the deletion of the protectors.โ
- [T1486] Data Encrypted for Impact โ BitLocker is used to encrypt entire volumes and theft of the decryption key. โusing the native BitLocker feature to encrypt entire volumes and stealing the decryption key.โ
- [T1529] System Shutdown/Reboot โ The operation includes a forced shutdown after encryption and cleanup. โthe malware performs a forced shutdown.โ
- [T1070.001] Clear Windows Event Logs โ The malware clears logs to erase traces. โdeletes the Windows PowerShell and Microsoft-Windows-PowerShell/Operational logs.โ
- [T1112] Modify Registry โ Registry entries are added to enable/modify BitLocker and startup behavior. โthe following registry entriesโ
- [T1562.004] Disable or Modify System Firewall โ The malware turns on the firewall and deletes its rules to alter defenses. โturns on the system firewall and deletes all of its rules.โ
- [T1041] Exfiltration Over Web Service โ Data is sent via HTTP POST to an attacker-controlled endpoint. โThe malware creates an HTTP POST request objectโฆ The attackers used the domain trycloudflare.com to obfuscate their real address.โ
Indicators of Compromise
- [URLs] โ Context: C2/update log communications and exfiltration endpoints. Example URLs: hxxps://scottish-agreement-laundry-further[dot]trycloudflare.com/updatelog, hxxps://generated-eating-meals-top[dot]trycloudflare.com/updatelog, and 2 more URLs
- [Emails] โ Context: attacker contact/info channels used. Example: onboardingbinder[at]proton[dot]me, conspiracyid9[at]protonmail[dot]com
- [MD5 Hashes] โ Context: sample hash associated with the drop/loader. Example: 842f7b1c425c5cf41aed9df63888e768
Read more: https://securelist.com/ransomware-abuses-bitlocker/112643/