Microsoft: Iranian Hackers Encrypt Windows Systems via BitLocker

Microsoft: Iranian hackers encrypt Windows systems via BitLocker

The group, known as DEV-0270, exploits known vulnerabilities and is not only pursuing political or strategic goals. As an alternative to BitLocker, the group also relies on the open-source tool DiskCryptor.

Microsoft has analyzed a series of cyberattacks that use Microsoft’s BitLocker encryption technology to encrypt Windows systems and render them unusable. Microsoft’s threat intelligence team attributed the attacks to a group called DEV-0270, which is believed to be an offshoot of the Iranian-backed Phosphorus group.

DEV-0270, also known as Nemesis Kitten, is said to primarily use known vulnerabilities to compromise networks and inject ransomware. Based on the selection of targets, which apparently do not always have strategic value to the Iranian government, Microsoft believes that some attacks have solely monetary goals

“DEV-0270 exploits high severity vulnerabilities to gain access to devices and is known to take early advantage of newly discovered vulnerabilities. DEV-0270 also makes extensive use of living-off-the-land binaries (LOLBINs) throughout the attack chain to discover and access credentials. This also extends to misuse of the built-in BitLocker tool to encrypt files on compromised devices,” Microsoft wrote in a blog post.

Alternatively, encryption is done with DiskCryptor

According to the analysis, the Iranian hackers use known exploits for vulnerabilities such as ProxyLogon and Log4j, however, no ransomware has been infiltrated via the latter so far. They also reportedly set up new user accounts and scheduled tasks to gain permanent access to a system.

BitLocker encryption is activated with commands from a batch file, he said. “This caused the computers to become inoperable,” Microsoft added. “For workstations, the group uses DiskCryptor, an open-source full disk encryption system for Windows that enables encryption of a device’s entire hard drive. The group drops DiskCryptor from an RDP session, and when it is started, encryption begins. This method requires a reboot to install and another reboot to lock access to the workstation.”

The group makes ransom demands within two days of first accessing a system, according to Microsoft. In at least one case, an amount of $8,000 was demanded. Like other cyber extortionists, however, DEV-0270 takes a two-pronged approach. In one attack where the victim did not pay a ransom, stolen data was subsequently released, it said.