BitlockMove: A New Ransomware Strain Leveraging BitLocker for Maximum Impact
Published: June 2025
Author: rtecCyberSec
GitHub PoC Repo: BitlockMove
π Overview
The cybersecurity research group rtecCyberSec has released an in-depth proof-of-concept (PoC) demonstrating a new ransomware variant that leverages Microsoft BitLocker, a legitimate full-disk encryption feature, to encrypt victim machines. Dubbed BitlockMove, this strain emphasizes how adversaries are increasingly utilizing native OS features to bypass traditional security mechanisms and avoid detection.
This technique is a Living off the Land (LotL) approach β abusing tools already present in the system instead of dropping detectable binaries. BitlockMove specifically targets Windows machines and repurposes BitLocker via manage-bde
to lock victims out of their systems.
π§ͺ Technical Breakdown
β
Requirements
Before deploying, the following prerequisites must be met:
- Windows OS with BitLocker enabled (or BitLocker-capable).
- Administrative privileges.
- PowerShell execution capability.
π Repository Contents
The PoC repository contains:
bitlockmove.ps1
: The core PowerShell script that:
- Creates a custom recovery password.
- Enables BitLocker on available volumes.
- Locks the system and deletes the recovery key from the victim's access.
βοΈ How It Works
Volume Detection:
The script identifies fixed drives using Get-WmiObject -Class Win32_LogicalDisk
and checks if BitLocker is already enabled.
BitLocker Activation:
For volumes not yet encrypted, the script invokes:
Enable-BitLocker -MountPoint $driveLetter -EncryptionMethod XtsAes256 -UsedSpaceOnly
Custom Password Injection:
A new recovery password is set:
Add-BitLockerKeyProtector -MountPoint $driveLetter -RecoveryPasswordProtector
Recovery Key Destruction:
Any saved recovery keys on the system or in accessible locations are deleted, preventing the user from recovering access.
System Lockdown:
The machine is forcibly shut down or rebooted, locking the user out as BitLocker demands the recovery key at boot.
π¨ Attack Implications
- No External Binary: Because it uses native PowerShell and BitLocker, this method is extremely stealthy.
- Bypasses AV/EDR: Since BitLocker is a trusted system tool, many endpoint security solutions may not flag this activity.
- Data Irretrievability: Without the recovery key or password, data becomes inaccessible, effectively acting as ransomware.
π‘οΈ Mitigation Strategies
- Restrict PowerShell: Limit PowerShell script execution via GPO or AMSI.
- Monitor BitLocker Events: Track unusual BitLocker enablement via Windows Event Logs (
Event ID 4672
, Event ID 845
).
- Privileged Account Control: Limit who has administrative access.
- Disable Unused BitLocker Features: If BitLocker is not used in your org, disable it via Group Policy.
π Reference
GitHub Repository: https://github.com/rtecCyberSec/BitlockMove
βοΈ Final Thoughts
The BitlockMove PoC underscores how legitimate OS tools can be double-edged swords. As defenders, relying purely on malware signatures is no longer sufficient. Behavioral detection, privilege auditing, and script control are critical layers in modern cyber defense.
This PoC is a valuable resource for blue teams and threat researchers, serving as both a wake-up call and a case study on the risks posed by LotL techniques in ransomware operations.