ioc[.]one - OSINT Cyber Threat Intelligence Database

How ransomware abuses BitLocker

Tags

cmtmf-attack-pattern:	Command And Scripting Interpreter
country:	France Jordan Indonesia Mexico
attack-pattern:	Data Clear Windows Event Logs - T1070.001 Command And Scripting Interpreter - T1623 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Disable Or Modify System Firewall - T1562.004 Exfiltration Over Web Service - T1567 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 System Shutdown/Reboot - T1529 Visual Basic - T1059.005 Command-Line Interface - T1059 Exfiltration Over Command And Control Channel - T1041 Modify Registry - T1112 Powershell - T1086 Windows Management Instrumentation - T1047

Show in Graph

Common Information

Type	Value
UUID	a3a738c4-78b6-4b5d-be7f-56b253b5d74a
Fingerprint	bc96286f6d60abc7
Analysis status	DONE
Considered CTI value	2
Text language
Published	May 23, 2024, noon
Added to db	Oct. 1, 2024, 3:43 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	ShrinkLocker: Turning BitLocker into ransomware
Title	How ransomware abuses BitLocker
Detected Hints/Tags/Attributes	82/3/44

Source URLs

	Redirection	Url
Details	Source	https://securelist.com/ransomware-abuses-bitlocker/112643/
Details	Redirection	https://securelist.com/ransomware-abuses-bitlocker/112643

URL Provider

Details	Provider	Source level domain
Details	securelist.com	securelist.com

Attributes

Details	Type	#Events	Value
Details	Domain	74	adodb.stream
Details	Domain	372	wscript.shell
Details	Domain	15	trycloudflare.com
Details	Domain	338	kaspersky.com
Details	Email	2	gert@kaspersky.com
Details	File	229	advapi32.dll
Details	File	1	c:\programdata\microsoft\windows\templates\ as disk.vbs
Details	File	1208	powershell.exe
Details	File	1	protector.key
Details	File	1	httprequest.opt
Details	File	13	scheduledtasks.xml
Details	File	2	login.vbs
Details	File	2	disk.vbs
Details	File	1	c:\programdata\microsoft\windows\templates\disk.vbs
Details	File	20	trojan.vbs
Details	File	1	trojan-ransom.vbs
Details	md5	1	842f7b1c425c5cf41aed9df63888e768
Details	MITRE ATT&CK Techniques	137	T1059.005
Details	MITRE ATT&CK Techniques	310	T1047
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	472	T1486
Details	MITRE ATT&CK Techniques	48	T1529
Details	MITRE ATT&CK Techniques	92	T1070.001
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	70	T1562.004
Details	MITRE ATT&CK Techniques	422	T1041
Details	Url	1	https://generated-eating-meals-top[dot]trycloudflare.com/updatelog
Details	Url	1	https://generated-eating-meals-top[dot]trycloudflare.com/updatelogead
Details	Url	1	https://earthquake-js-westminster-searched[dot]trycloudflare.com:443/updatelog
Details	Windows Registry Key	1	HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMPIN
Details	Windows Registry Key	1	HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMKey
Details	Windows Registry Key	1	HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMKeyPIN
Details	Windows Registry Key	1	HKLM\SOFTWARE\Policies\Microsoft\FVE\EnableNonTPM
Details	Windows Registry Key	1	HKLM\SOFTWARE\Policies\Microsoft\FVE\UsePartialEncryptionKey
Details	Windows Registry Key	1	HKLM\SOFTWARE\Policies\Microsoft\FVE\UsePIN
Details	Windows Registry Key	1	HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseAdvancedStartup
Details	Windows Registry Key	1	HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\EnableBDEWithNoTPM
Details	Windows Registry Key	1	HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseTPM
Details	Windows Registry Key	1	HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseTPMPIN
Details	Windows Registry Key	1	HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseTPMKey
Details	Windows Registry Key	1	HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseTPMKeyPIN
Details	Windows Registry Key	1	HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\EnableNonTPM
Details	Windows Registry Key	1	HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UsePartialEncryptionKey
Details	Windows Registry Key	1	HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UsePIN