DiskCryptor
DiskCryptor is a legitimate open-source full-disk encryption utility that has been repeatedly used by threat actors as part of ransomware and destructive intrusion activity on Windows systems. The provided content describes its use to encrypt volumes or workstations, sometimes alongside custom malware or bootloader modifications, rather than as standalone malware developed by the actors.
In the referenced activity, Moses Staff used DiskCryptor directly and also used signed drivers from DiskCryptor to evade detection. Moses Staff-associated tooling included DCSrv, which masqueraded as svchost.exe, blocked access to the computer, and encrypted all volumes using DiskCryptor’s core encryption mechanism. The content also states that PyDCrypt was used to spread within a network and ensure execution of the DCSrv payload. Moses Staff activity included exploitation of public-facing applications such as Microsoft Exchange, deployment of obfuscated web shells including C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx, disabling Windows firewalls, enabling SMB, and host/network discovery prior to DiskCryptor-backed encryption.
The content also links DiskCryptor use to Iranian-linked operations. COBALT MIRAGE is described as an Iranian threat actor that prepares and delivers ransomware attacks using BitLocker and DiskCryptor to encrypt systems, targeting organizations in Israel, the United States, Europe, and Australia, often via scan-and-exploit activity against Fortinet FortiOS, Microsoft Exchange ProxyShell, and Log4j-vulnerable systems. In a late-September 2021 intrusion attributed to PHOSPHORUS/COBALT MIRAGE, actors exploited ProxyShell on Exchange, deployed web shells and tunneling tools, moved laterally via RDP, encrypted servers with BitLocker via setup.bat, and encrypted workstations with DiskCryptor using dcrypt.exe.
The content further notes DiskCryptor use in ransomware contexts beyond Iranian operations. Mamba (HDDCryptor) used the open-source DiskCryptor to encrypt files and wrote a custom boot loader to the master boot record. There is also speculation in the provided material that DiskCryptor may have been combined with LockBit in some attacks, and the detection content includes analytics for Windows DiskCryptor usage mapped to data encrypted for impact.
High-confidence behaviors directly mentioned include full-volume or workstation encryption, use of signed DiskCryptor drivers for defense evasion, and use in conjunction with custom ransomware components such as DCSrv. Associated actors explicitly mentioned are Moses Staff and COBALT MIRAGE/PHOSPHORUS. Targeting explicitly mentioned in the content includes Israeli organizations and critical infrastructure-related victims, as well as organizations in the United States, Europe, and Australia. Specific related artifacts mentioned in the content include dcrypt.exe, the IIS web shell path C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx, and the Moses Staff leak archive POC-IPC.rar with MD5 f9a34ac80a4f98b5491594a1eedc74e3 and SHA256 f3b4ee57c46839c2305f68962dff5cd5c3cab0e48d1fbf4f5f4d11f7258ea99b.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
DCSrv blocks all access to the computer and encrypts all its volumes using the legitimate open-source encryption utility DiskCryptor.
DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueMultiple groups “obtained and used” publicly available/open-source tools (e.g., APT28 used Koadic/Mimikatz/Responder; APT29 used Mimikatz/SDelete/Tor/meek/Cobalt Strike; many others acquired tools such as PsExec, Impacket, Metasploit, etc.).
Defense Impairment
1 techniqueMoses Staff has used signed drivers from an open source tool called DiskCryptor to evade detection.
Impact
3 techniquesMoses Staff has used the commercial tool DiskCryptor.
DCSrv blocks all access to the computer and encrypts all its volumes using the legitimate open-source encryption utility DiskCryptor.
Instead of using traditional ransomware, this group uses off-the-shelf software such as Windows BitLocker and DiskCryptor to encrypt files and lock access to the disk partitions with a password.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Legitimate disk encryption software abused by threat actors to encrypt victim systems as part of ransomware-style attacks.
DiskCryptor is used by Moses Staff as a tool, including its signed drivers to evade detection.
Open-source full-disk encryption utility used by the intruders to encrypt (lock out) Windows workstations for impact, requiring reboots to install a kernel-mode driver and complete encryption.
A legitimate open-source disk encryption utility abused by DCSrv to encrypt victim volumes.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.