Great protagonist of the “as-a-service” universe, Ransomware is among the most dangerous attacks today, reaching the mark of 1 infection every 11 seconds in 2021 and resulting in almost US$ 20 billion in damages.
By involving a complex ecosystem composed of different business models within cybercrime, from selling initial access to deploying malicious files in the cloud and double extortion, ransomware is one of the main responsible in the supply chain necessary for malicious activities to continue happening in the digital world.
Although the detection mechanisms of Operating Systems and Protection Software work for most of the malicious behavior identified in Ransomware files, the techniques used by threat actors are increasingly aiming to go through these mechanisms and not compromise the infection before carrying out the data encryption.
So a good part of hackers started to invest in anti-detection mechanisms making automated and human analysis more difficult, as I can identify daily in the analysis activities, I develop on ransomware families like Lapsus, Ryuk, and BitLocker, among others.
BitLocker Ransomware: How Is It Hidden?
As already mentioned, the need to prevent detection and be efficient in the process of data unavailability leads hackers to explore the entire arsenal of malicious processes distributed on the DarkWeb and, mainly, to explore the legitimate processes of the standard systems used by every user.
This is the case with the BitLocker Ransomware that uses a Windows tool to encrypt files without being detected by antivirus or other existing detection tools. This tool is called BitLocker and names the actors responsible for the attacks.
Known for heavily social engineering through malicious spam (email and SMS) and exploiting several recent Microsoft Exchange vulnerabilities to achieve initial infection of a victim, the group behind this malware family is even better known for exploiting the Microsoft engine that allows you to encrypt your entire HDD drive without adding an extension.
Opting for this encryption tactic requires a little more from the group, as they have to take control of the system through remote access to perform the procedure. But at the same time, it makes suspicious actions less visible, as detection systems will likely consider completely common and legitimate behavior of native software.
A worrying fact is that with this remote access, the privileges granted to the attacker are generally equal to or greater than those granted to the user, so it is common for the malware to use these privileges to activate encryption and move laterally in the system. Compromised in search of the supply chain, backup systems, and specific user or server credential information.
If the infected machine does not have a ‘data partition’ other than the OS partition, the malware has the ability to create a file containing a virtual partition and move all user documents there; this process is well known as ‘VHD Locker’. Ransomware’.
Once encryption is done using a complex password that is sent to the attackers’ servers, the victim’s machine is then rebooted. With the data already unavailable, a Word document or a .TXT file appears on the victim’s desktop with instructions on possible contacts and the rescue, which must be paid in bitcoin to the address provided in the note in question.
Windows BitLocker: What’s the Point?
Microsoft BitLocker is a built-in Windows security feature that encrypts everything on the drive Windows is installed on and provides more protection when used with the Hardware Trusted Platform Module (TPM), which is responsible for performing an authentication check on hardware, software, and firmware.
The purpose is to provide protection for the machine’s operating system as well as the data stored on it and to ensure that the data remains encrypted even if the computer or user is modified.
In theory, this helps protect against certain cloud attacks, offline attacks, or attackers arising from the physical removal of the hard drive to attack the data separately.
In practice, Microsoft delivered more security to the user, but it also ended up allowing and even providing ways for attackers to develop specific techniques using behaviors that are more difficult to detect.
But Finally, Does BitLocker Protect Against Ransomware?
One of the questions I see the most in my Malware studies is how Bitlocker and encryption can help with Malware attacks, especially Ransomware. In fact, this and other mechanisms capable of combining the disk encryption process and special key management techniques are a very efficient set of solutions against some attacks, but unfortunately, they cannot protect you from all ransomware.
The purpose of BitLocker is to ensure that the contents of your hard drive can only be inspected by those with legitimate privileges to log into the system. But it all depends on how the Ransomware is programmed to behave in the compromised environment. If the malicious actor has full access to your OS, nothing can stop them from encrypting anything they want, including BitLocker-encrypted volumes.
To be honest, a scenario where BitLocker manages to block some ransomware only happens if that ransomware doesn’t consider the layer on which BitLocker works.
I’ve also wondered if it’s possible to encrypt already encrypted files (so if I turned on BitLocker before Hacker, I’d be safe!), but I have to say that ransomware can encrypt encrypted files, yes.
In addition, it is also possible to recover BitLocker encryption keys or even discard the original ones and exchange them for others, as Robert Schwass concluded in his research on BitLocker pre-boot recovery and the feature introduced starting with Windows 8, where the operating system drive is now encrypted without the need for a Trusted Platform Module (TPM) and even a USB drive.
But by using data encryption software, you can be closer to controlling security policies that prevent malicious users and rogue processes from gaining access to your sensitive information. While, in general, this method is not completely effective, it can work in some cases where the malicious actor is just looking to capture the victim’s data and credentials to sell later and doesn’t mind encrypting them and demanding rescue.
Ransomware Defense: What is the Best Protection?
Considering the Modus Operandi described in this article and the human and technological risks exploited by the most diverse types of ransomware attacks, it is evident that there is no single action to be taken that totally and immediately prevents the problem.
Basically, what needs to be done is to apply best practices in information security, some of which have long been discussed by researchers and practitioners, such as the following:
- Adopt and implement endpoint, antivirus, and specialized protection software for the entire enterprise and supply chain
- Invest in vulnerability management and threat monitoring, including GV-GC, Cyber Threat Intelligence, SOC, and Incident Response, in order to gain more knowledge about the malicious scenario your environment must be protected from
- Log and event detection using detection rules like Yara, Snort, and Sigma
- Registration of IOCs identified in malicious campaigns, implementing methodologies such as Mitre Attack and Cyber Kill Chain.
- Focus on efficient access control management
- Deep work on recovering leaked customer and employee data and mitigating exposure
- Employee awareness of Privacy, Spam, Phishing, Malware, and Social Engineering in general
- Backup routine to keep data available even if an attack occurs
These are some of the ways I see as possible to anticipate an attack of this level. That is, good practice of defending and protecting against ransomware should begin before any attacks occur. Waiting until the ransomware attack reaches your network to take action may already be too late and is not advisable with the current scenario and its growing trend.