# BitlockMove: A New Ransomware Strain Leveraging BitLocker for Maximum Impact **Published: June 2025** **Author: [rtecCyberSec](https://github.com/rtecCyberSec)** **GitHub PoC Repo: [BitlockMove](https://github.com/rtecCyberSec/BitlockMove)** --- ## 🔍 Overview The cybersecurity research group **rtecCyberSec** has released an in-depth proof-of-concept (PoC) demonstrating a **new ransomware variant** that leverages **Microsoft BitLocker**, a legitimate full-disk encryption feature, to encrypt victim machines. Dubbed **BitlockMove**, this strain emphasizes how adversaries are increasingly utilizing native OS features to bypass traditional security mechanisms and avoid detection. This technique is a **Living off the Land (LotL)** approach — abusing tools already present in the system instead of dropping detectable binaries. BitlockMove specifically targets Windows machines and repurposes BitLocker via `manage-bde` to lock victims out of their systems. --- ## 🧪 Technical Breakdown ### ✅ Requirements Before deploying, the following prerequisites must be met: - Windows OS with BitLocker enabled (or BitLocker-capable). - Administrative privileges. - PowerShell execution capability. ### 📁 Repository Contents The PoC repository contains: - `bitlockmove.ps1`: The core PowerShell script that: - Creates a custom recovery password. - Enables BitLocker on available volumes. - Locks the system and deletes the recovery key from the victim's access. --- ## ⚙️ How It Works 1. **Volume Detection**: The script identifies fixed drives using `Get-WmiObject -Class Win32_LogicalDisk` and checks if BitLocker is already enabled. 2. **BitLocker Activation**: For volumes not yet encrypted, the script invokes: ```powershell Enable-BitLocker -MountPoint $driveLetter -EncryptionMethod XtsAes256 -UsedSpaceOnly ``` 3. **Custom Password Injection**: A new recovery password is set: ```powershell Add-BitLockerKeyProtector -MountPoint $driveLetter -RecoveryPasswordProtector ``` 4. **Recovery Key Destruction**: Any saved recovery keys on the system or in accessible locations are deleted, preventing the user from recovering access. 5. **System Lockdown**: The machine is forcibly shut down or rebooted, locking the user out as BitLocker demands the recovery key at boot. --- ## 🚨 Attack Implications - **No External Binary**: Because it uses native PowerShell and BitLocker, this method is **extremely stealthy**. - **Bypasses AV/EDR**: Since BitLocker is a trusted system tool, many endpoint security solutions may not flag this activity. - **Data Irretrievability**: Without the recovery key or password, data becomes **inaccessible**, effectively acting as ransomware. --- ## 🛡️ Mitigation Strategies - **Restrict PowerShell**: Limit PowerShell script execution via GPO or AMSI. - **Monitor BitLocker Events**: Track unusual BitLocker enablement via Windows Event Logs (`Event ID 4672`, `Event ID 845`). - **Privileged Account Control**: Limit who has administrative access. - **Disable Unused BitLocker Features**: If BitLocker is not used in your org, disable it via Group Policy. --- ## 📌 Reference GitHub Repository: [https://github.com/rtecCyberSec/BitlockMove](https://github.com/rtecCyberSec/BitlockMove) --- ## ✍️ Final Thoughts The BitlockMove PoC underscores how **legitimate OS tools** can be double-edged swords. As defenders, relying purely on malware signatures is no longer sufficient. **Behavioral detection**, **privilege auditing**, and **script control** are critical layers in modern cyber defense. This PoC is a **valuable resource for blue teams and threat researchers**, serving as both a wake-up call and a case study on the risks posed by LotL techniques in ransomware operations. ```

Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

BitlockMove: A New Ransomware Strain Leveraging BitLocker for Maximum Impact

NikolasHume

BitlockMove: A New Ransomware Strain Leveraging BitLocker for Maximum Impact

Published: June 2025
Author: rtecCyberSec
GitHub PoC Repo: BitlockMove

🔍 Overview

The cybersecurity research group rtecCyberSec has released an in-depth proof-of-concept (PoC) demonstrating a new ransomware variant that leverages Microsoft BitLocker, a legitimate full-disk encryption feature, to encrypt victim machines. Dubbed BitlockMove, this strain emphasizes how adversaries are increasingly utilizing native OS features to bypass traditional security mechanisms and avoid detection.

This technique is a Living off the Land (LotL) approach — abusing tools already present in the system instead of dropping detectable binaries. BitlockMove specifically targets Windows machines and repurposes BitLocker via manage-bde to lock victims out of their systems.

🧪 Technical Breakdown

✅ Requirements

Before deploying, the following prerequisites must be met:

Windows OS with BitLocker enabled (or BitLocker-capable).
Administrative privileges.
PowerShell execution capability.

📁 Repository Contents

The PoC repository contains:

bitlockmove.ps1: The core PowerShell script that:
- Creates a custom recovery password.
- Enables BitLocker on available volumes.
- Locks the system and deletes the recovery key from the victim's access.

⚙️ How It Works

Volume Detection:
The script identifies fixed drives using Get-WmiObject -Class Win32_LogicalDisk and checks if BitLocker is already enabled.

BitLocker Activation:
For volumes not yet encrypted, the script invokes:

   Enable-BitLocker -MountPoint $driveLetter -EncryptionMethod XtsAes256 -UsedSpaceOnly

Custom Password Injection:
A new recovery password is set:

   Add-BitLockerKeyProtector -MountPoint $driveLetter -RecoveryPasswordProtector

Recovery Key Destruction:
Any saved recovery keys on the system or in accessible locations are deleted, preventing the user from recovering access.
System Lockdown:
The machine is forcibly shut down or rebooted, locking the user out as BitLocker demands the recovery key at boot.

🚨 Attack Implications

No External Binary: Because it uses native PowerShell and BitLocker, this method is extremely stealthy.
Bypasses AV/EDR: Since BitLocker is a trusted system tool, many endpoint security solutions may not flag this activity.
Data Irretrievability: Without the recovery key or password, data becomes inaccessible, effectively acting as ransomware.

🛡️ Mitigation Strategies

Restrict PowerShell: Limit PowerShell script execution via GPO or AMSI.
Monitor BitLocker Events: Track unusual BitLocker enablement via Windows Event Logs (Event ID 4672, Event ID 845).
Privileged Account Control: Limit who has administrative access.
Disable Unused BitLocker Features: If BitLocker is not used in your org, disable it via Group Policy.

📌 Reference

GitHub Repository: https://github.com/rtecCyberSec/BitlockMove

✍️ Final Thoughts

The BitlockMove PoC underscores how legitimate OS tools can be double-edged swords. As defenders, relying purely on malware signatures is no longer sufficient. Behavioral detection, privilege auditing, and script control are critical layers in modern cyber defense.

This PoC is a valuable resource for blue teams and threat researchers, serving as both a wake-up call and a case study on the risks posed by LotL techniques in ransomware operations.

📱

Download Now—Top Software, No Cost!