New Ransomware Tool - Bitlocker
Researchers from Kaspersky's GERT have uncovered a new cyberattack that utilises the native Windows protection tool, Bitlocker, to encrypt victims' disks.
The malicious software, known as ShrinkLocker, is executed as a complex VBscript that reduces the computer's disk partitions by 100 MB, creates a boot partition from the freed space, and activates Bitlocker protection for the primary disks. Following this, all Bitlocker key recovery tools are removed, the key itself is transmitted to the attackers' server via a single POST request through a Cloudflare tunnel, and the computer is rebooted, leaving the user faced with the Bitlocker password entry screen. In this scenario, there is no conventional ransom note, so all system disk labels are altered to display the attackers' contact email.
The script is compatible with all Windows versions starting from 7 and Server 2008.
For advice on how to prevent such LOTL ransomware attacks and a comprehensive analysis of the script, read more on Securelist securelist.com/ransomware-abu…#news#ransomware#LOTL#cybersecurity
#MalwareAnaysis tip: I've been using "shellcode2exe" a lot lately. It makes it a lot easier to statically analyze and especially debug shellcode, or run the shellcode in a sandbox. Shellcode2exe basically adds a PE header to your raw shellcode. 🤓
Any similar tools you all use?
Today our researchers have found new sample which belongs to #Kimsuky#APT group
ITW:946f787c129bf469298aa881fb0843f4
filename:210927 코로나 대응(보령-태안1)_취합_수정.PIF
C2:hxxp://movie.youtoboo.kro.kr/test.php
ITW:e33a34fa0e0696f6eae4feba11873f56
filename:Icon.pif
299K Followers 73 FollowingPart of @CISAgov, we respond to major incidents, analyze threats, and exchange critical cybersecurity information with partners around the world.
330K Followers 117 FollowingEmpowering the world to fight cyber threats with indispensable cybersecurity skills and resources.
Support queries: https://t.co/HtFpqjjlRZ
28K Followers 216 FollowingEthical Hacker, Forensic Investigator, Malware Engineer. Security+, Network+, Pentest+, and CNVP. Founder of @hack_ademy
One hack at a time!
1K Followers 3K Following#ThreatIntel Researcher @S2W_Official @TALON_INTEL
Main Author of Threat Intel Report 'Campaign DOKKAEBI : Documents of Korean and Evil Binary' / Formerly FSI
3K Followers 87 FollowingInsights from the Digital Forensics/Incident Response and Threat Research Team at SECUINFRA. We regularly publish reports, detection rules and other findings!