Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks

Ransomware?

Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s personal data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion.

This type of attack takes advantage of human, system, network, and software vulnerabilities to infect the victim’s device—which can be a computer, printer, smartphone, wearable, point-of-sale (POS) terminal, or other endpoint.

Note: Take up an Ethical hacking Course in India from Cryptus Cyber Security. 

There are thousands of strains of ransomware malware. Below we list a few malware examples that made a global impact and caused widespread damage.

ransomware group under the moniker Cobalt Mirage, which is linked to an Iranian hacking crew dubbed Cobalt Illusion aka APT35, Charming Kitten, Newscaster, or Phosphorus has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia

The threat actors completed the attack with an unusual tactic of sending a ransom note to a local printer. The note includes a contact email address and Telegram account to discuss decryption and recovery.

The threat actor is said to have conducted two different sets of intrusions, one of which relates to opportunistic ransomware attacks involving the use of legitimate tools like Bit Locker and Disk Cryptor for financial gain. The second set of attacks are carried out with the primary goal of securing access and gathering intelligence, while also deploying ransomware in select cases.

Figure 2

BitLocker and DiskCryptor Ransom Execution

 

The second set of attacks are more targeted, carried out with the primary goal of securing access and gathering intelligence, while also deploying ransomware in select cases.

 

Another intrusion aimed at a U.S. local government network in mid-March 2022 is believed to have leveraged Log4Shell flaws in the target’s VMware Horizon infrastructure to conduct reconnaissance and network scanning operations.

 

“The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage,” the researchers concluded. “While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited.”

“While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited.”

Leave a Reply

Your email address will not be published. Required fields are marked *