Sunday, March 30, 2025
HomeMalwareDEV-0270 Hacker Group Uses Windows BitLocker Feature to Encrypt Systems

DEV-0270 Hacker Group Uses Windows BitLocker Feature to Encrypt Systems

Published on

SIEM as a Service

Follow Us on Google News

The DEV-0270 (aka Nemesis Kitten), an Iranian state-sponsored hacker group has been uncovered abusing a Windows feature known as BitLocker.

While Nemesis Kitten is one of the sub-groups of the Iranian threat actor group known as, PHOSPHORUS. 

The threat intelligence team of Microsoft claims that as soon as new security vulnerabilities are disclosed, the group takes advantage of them as quickly as possible. The attacks made by this group utilize living-off-the-land binaries (LOLBINs) to the fullest extent possible.

With BitLocker, you can protect your data by providing full volume encryption on devices that run the following operating systems:-

  • Windows 10
  • Windows 11
  • Windows Server 2016 and above

Technical Analysis

Setup.bat commands are used by the operators of DEV-0270 as part of its method of enabling the BitLocker encryption feature. 

Due to this, the hosts become inoperable and are unable to function. Currently, for the workstations, there is a disk encryption program called DiskCryptor which is used by the group.

In the case of DEV-0270, it has been observed that the time to ransom (TTR) between an attacker’s initial access to a victim’s system and deployment of the ransom note is approximately two days.

Here the attacker makes a demand for the payment of $8,000 for the victims’ decryption keys in the event of success.

Moonlighting

There is a strong possibility that DEV-0270 is moonlighting as a revenue-generating tool for a company or for personal use. However, this is not accurately confirmed, since this is Microsoft’s firm speculation.

Under two aliases, this group is being run by an Iranian company that is known by the following names:-

  • Secnerd (secnerd[.]ir)
  • Lifeweb (lifeweb[.]it)

In addition to these organizations, Najee Technology Hooshmand, which is based in Karaj, Iran, is also connected to these organizations. When it comes to targeting, the group tends to take advantage of opportunistic opportunities.

Mitigations

Here below we have mentioned all the recommended mitigations:-

  • For the prevention of exploitation attempts and subsequent ransomware attacks, it is advised that companies patch their Internet-facing servers. 
  • Prevent RPC and SMB communication between devices by using Microsoft Defender Firewall and intrusion prevention devices.
  • To prevent or restrict the use of network appliances, you should check your perimeter firewall and proxy.
  • Ensure that the passwords used by local administrators are strong.
  • Always keep Microsoft Defender Antivirus up to date.
  • Make sure to enable real-time behavior monitoring in Microsoft Defender Antivirus.
  • Make sure that you keep backups in case there is an attack that destroys your data.
  • It is imperative that the Local Security Authority Subsystem (lsass.exe) on Windows is protected against credential theft.
  • The creation of processes originating from PsExec and WMI commands should be blocked.
  • The WMI event subscription can be used to block persistence.
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Gamaredon Hackers Weaponize LNK Files to Deliver Remcos Backdoor

Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group,...

“Crocodilus” A New Malware Targeting Android Devices for Full Takeover

Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial...

SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk

From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging...

Hackers Exploit DNS MX Records to Create Fake Logins Imitating 100+ Brands

Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed "Morphing Meerkat," that leverages...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

“Crocodilus” A New Malware Targeting Android Devices for Full Takeover

Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial...

PJobRAT Android Malware Masquerades as Dating and Messaging Apps to Target Military Personnel

PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in...

SHELBY Malware Steals Data by Abusing GitHub as Command-and-Control Server

Elastic Security Labs has uncovered a sophisticated malware campaign, dubbed REF8685, targeting the Iraqi...