cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

BitLocker and DiskCryptor leveraged by Iranian hackers for ransomware attacks

A string of file-encrypting malware attacks targeting organisations in Israel, the US, Europe and Australia have been linked to a ransomware group with an Iranian operational connection.

user iconReporter
Fri, 13 May 2022
BitLocker and DiskCryptor leveraged by Iranian hackers for ransomware attacks
expand image

Cyber security firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it has linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus).

In a report shared with The Hacker News, Secureworks Counter Threat Unit (CTU) outlined that elements of Cobalt Mirage activity have been reported as Phosphorus and TunnelVision.

The threat actor has been observed to have conducted two different sets of intrusions, one of which relates to opportunistic ransomware attacks involving the use of legitimate tools like BitLocker and DiskCryptor for financial gain.


The second set of attacks are more targeted, carried out with the primary goal of securing access and gathering intelligence, while also deploying ransomware in select cases.

Initial access routes are facilitated by scanning internet-facing servers vulnerable to highly publicised flaws in Fortinet appliances and Microsoft Exchange Servers to drop web shells and using them as a conduit to move laterally and activate the ransomware.

The exact means by which the full volume encryption feature is triggered remains unknown, according to Secureworks, detailing a January 2022 attack against an unnamed US philanthropic organisation.

Another intrusion aimed at a US local government network in mid-March 2022 is believed to have leveraged Log4Shell flaws in the target’s VMware Horizon infrastructure to conduct reconnaissance and network scanning operations.

Secureworks researchers concluded the January and March incidents typify the different styles of attacks conducted by Cobalt Mirage.

“While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalise on that access for financial gain or intelligence collection appears limited,” Secureworks researchers concluded.

[Related: Willyama launches a new cyber security subsidiary]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.