Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bitlocker Ransomware


  • This topic is locked This topic is locked
6 replies to this topic

#1 thefaftek

thefaftek

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 13 July 2016 - 01:14 PM

Hey all,

 

One of our clients recently got hit with this, and I thought I'd share what we know.

 

Message:

Hello there. 
 
I would like to tell you first I'm sorry about that. Your documents, files, database, most are in original places or some moved to your local data. If you want to regain access to your local disk, all your files, documents, etc please send 1 BTC (Bitcoin) to this address: 15W3WjTsvx6Ao1vj9DiiYGuSTKcPHcFDqS as fast as you can and email me at datebatut@gmail.com If you dont know what bitcoin is, please ask me for bitcoin website that you can buy it fast or search on google for a local Bitcoin shop or ATM and transfer 1 BTC to this address: 15W3WjTsvx6Ao1vj9DiiYGuSTKcPHcFDqS
 
It's not my fault if you are trying to format disk and lose all. Here are only one way to get all back and regain access to your local hard disk drive and this way is to send 1 Bitcoin to this address: 15W3WjTsvx6Ao1vj9DiiYGuSTKcPHcFDqS
 
It's just business not trying to get your money and then to not give to you the bitlocker password. Waiting for your reply to my email address ( datebatut@gmail.com or datebatut@pochta.com if the gmail not work ) if you wanna get the bitlocker password. 
 
Please do not hesitate to contact me should you have any questions or concerns.
 
Thanks for your time!

 

 

Unfortunately they don't rotate their backups and all data was lost as a result. 

 

Here's the password we were given,  I'm fairly certain he uses the same one throughout: =-0987654321!@#$%^&*()_++_)(*&^%$#@!

 

Hopefully this helps somebody. 

 

EDIT: 

Forgot to mention some important details. First off, it was just an image/text file with instructions that opened automatically. The drives were actually encrypted using bitlocker, set to require a password to unlock. Due to the fact they do not have an active directory that logs recovery keys for bitlocker there was no way to unlock the drive. The data essentially shut the business down until it was encrypted, as it was critical.
 


Edited by thefaftek, 13 July 2016 - 01:19 PM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:26 AM

Posted 13 July 2016 - 01:16 PM

Was the system actually encrypted with BitLocker, or was it some kind of screenlocker? Were the files encrypted, or how exactly was the system ransomed? We'd be very interested in a sample if possible, malicious files and samples of ransom notes and encrypted files may be submitted here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 thefaftek

thefaftek
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 13 July 2016 - 01:20 PM

Was the system actually encrypted with BitLocker, or was it some kind of screenlocker? Were the files encrypted, or how exactly was the system ransomed? We'd be very interested in a sample if possible, malicious files and samples of ransom notes and encrypted files may be submitted here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

I added an edit above with the information. Unfortunately I do not have a copy of the ransomware or I would submit this.



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:26 AM

Posted 13 July 2016 - 01:22 PM

Very interesting... pretty sure they would have to have direct control of the system to setup BitLocker, not sure malware can directly invoke that. I would definitely check the system/network for a possible compromise and make sure it is locked down properly.

 

What is the exact filename of the ransom note? May help with hunting something down and with identification.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 thefaftek

thefaftek
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 13 July 2016 - 01:26 PM

Very interesting... pretty sure they would have to have direct control of the system to setup BitLocker, not sure malware can directly invoke that. I would definitely check the system/network for a possible compromise and make sure it is locked down properly.

 

What is the exact filename of the ransom note? May help with hunting something down and with identification.

He could have easily invoked Bitlocker via powershell inside of an application: https://technet.microsoft.com/en-us/library/jj649829(v=wps.630).aspx. This only way to fully secure their network would be to nuke it due a massive amount of issues with it.

 

I couldn't find the name of the ransom note, unfortunately, as I was just facilitating the bitcoin transactions and ransom contact, my coworker did not document that information.



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:26 AM

Posted 13 July 2016 - 01:55 PM

Ah, OK. I haven't dealt with BitLocker very much, don't know a whole ton about it. Thanks for the heads-up, we'll be sure to keep a lookout for anything we can find on this one.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,907 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:26 PM

Posted 13 July 2016 - 02:45 PM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users