Attackers always find creative ways to bypass defensive features and accomplish their goals. This can be done with packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as maximizing compatibility, is to use the operating system’s own features. In the context of ransomware threats, one notable example is leveraging exported functions present in the cryptography DLL
ADVAPI32.dll, such as
CryptAcquireContextA,
CryptEncrypt, and
CryptDecrypt. In this way, the adversaries can make sure that the malware can run and simulate normal behavior in various versions of the OS that support this DLL.
Although this seems smart enough, another clever technique caught our attention in a recent incident response engagement: using the native BitLocker feature to encrypt entire volumes and stealing the decryption key. The original purpose of BitLocker is to address the risks of data theft or exposure from lost, stolen, or improperly decommissioned devices. Nonetheless, threat actors have found out that this mechanism can be repurposed for malicious ends to great effect.
In that incident, the attackers were able to deploy and run an advanced VBS script that took advantage of BitLocker for unauthorized file encryption. We spotted this script and its modified versions in Mexico, Indonesia, and Jordan. In the sections below, we analyze in detail the malicious code obtained during our incident response effort and provide tips for mitigating this kind of threat.
This is not the first time we have seen BitLocker used for encrypting drives and demanding a ransom. Previously, attackers
used this Microsoft utility to encrypt critical systems after accessing and controlling these. In this case, however, the adversary took additional steps to maximize the damage from the attack and hinder an effective response to the incident.
securelist.com
