Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 4 actors

BitLocker

BitLocker is Microsoft’s built-in Windows full-disk encryption feature, but in the provided reporting it is repeatedly described as being abused by threat actors as an encryption mechanism in ransomware and destructive intrusion activity rather than as bespoke malware. Multiple sources state that actors used living-off-the-land binaries such as BitLocker to encrypt compromised systems, workstations, servers, and files, and then left ransom demands. Reported use cases include a separate cluster of attacks affecting organizations across North America, South America, and Europe involving off-the-shelf encryption tools BestCrypt and BitLocker; ransomware activity by a Phosphorus/DEV-0270 subgroup; APT41 use of Microsoft BitLocker to encrypt workstations; DPRK state-sponsored actors observed using or possessing BitLocker alongside other public ransomware/encryption tools; and COBALT MIRAGE/PHOSPHORUS operations using BitLocker and DiskCryptor to encrypt victim systems. In a late-September 2021 intrusion attributed to PHOSPHORUS/COBALT MIRAGE, attackers exploited Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), established persistence and remote access, moved laterally, and then deployed a setup.bat script to enable BitLocker encryption on servers while using DiskCryptor on workstations; the ransom note demanded $8,000 and referenced Telegram and ProtonMail contacts. Additional reporting describes attackers abusing built-in Windows BitLocker in a Romanian National Water Administration incident, impacting about 1,000 systems across regional offices, affecting GIS, database, email, web, workstation, and DNS systems while leaving OT unaffected; investigators found BitLocker was used to lock files and a ransom note demanded contact within seven days. High-confidence associations in the content include Iranian-linked PHOSPHORUS/DEV-0270/COBALT MIRAGE activity, APT41, and DPRK actors. The content does not provide unique BitLocker-specific malware IOCs beyond its use as a native Windows encryption capability and references to attacker scripts such as setup.bat used to enable it.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Magic Hound

Last week, Microsoft took the wraps off a string of ransomware attacks mounted by a Phosphorus subgroup dubbed DEV-0270 using living-off-the-land binaries such as BitLocker.

via the hacker newsthehackernews.com
DEV-0270

Last week, Microsoft took the wraps off a string of ransomware attacks mounted by a Phosphorus subgroup dubbed DEV-0270 using living-off-the-land binaries such as BitLocker.

via the hacker newsthehackernews.com
APT41

APT41 also used Microsoft Bitlocker to encrypt workstations...

via mitre attackattack.mitre.org
DPRK cyber actors

Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.

via cisa advisoriescisa.gov
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence7
TacticImpact

As seen below, the threat actor used the manage-bde.exe utility to enable BitLocker device encryption across multiple systems. The associated keys were held to ransom.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
huntio blogNews
Dec 31, 2025
SIGNALS WEEKLY: Poisoned DNS Updates + Aflac’s 22.65M Aftershock (and MongoBleed)

BitLocker, a native Windows disk encryption tool, is being abused by threat actors to encrypt victim systems and demand ransom, effectively turning it into a ransomware tool.

Read more
bleeping computerNews
Dec 22, 2025
Romanian water authority hit by ransomware attack over weekend

BitLocker is a legitimate Windows disk encryption feature that has been abused by threat actors to encrypt files on compromised systems and demand ransom, effectively turning it into a ransomware tool.

Read more
the record mediaNews
Jun 27, 2024
Suspected Chinese gov’t hackers used ransomware as cover in attacks on Brazil presidency, Indian health org | The Record from Recorded Future News

A legitimate disk encryption tool abused in attack clusters as an encryption mechanism affecting multiple industries across North America, South America, and Europe.

Read more
curated intelligenceNews
Oct 15, 2023
Tracking Cyber Activity Surrounding War In Israel

Legitimate Windows full-disk encryption feature abused by threat actors to encrypt victim systems as part of ransomware-style attacks.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution4

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.