We help IT Professionals succeed at work.

Bitlocker ransomware

Just got a second residential computer who has MS Bitlocker locked drive due to scammer and ransom.  This person was searching the internet and got the usual call this Microsoft phone # for support.  The person was from India, and started to tell him the usual and once he had bitlocker setup, he switched to demanding $2,800 to save his computer.  This computer has no valuable information on it, and will be just wiped and clean OS installed.  But I have been given time to see if I can unlock the system for future knowledge against this type of scammer.  Any information is greatly appreciated.
Comment
Watch Question

btanExec Consultant
Distinguished Expert 2019

Commented:
Ideally if the password is simple then you can try a few since you are no worst off. Otherwise there are three Bitlocker password brute-force cracking tools which can recover lost Bitlocker password by running a attack. Catch the link.

https://www.m3datarecovery.com/bitlocker-drive-data-recovery/unlock-bitlocker-without-password-recovery-key.html#s2
Adam LeinssSystems Administrator

Commented:
If it's Bitlockered, it's game over.  The scammer probably enabled BitLocker and set his own protector password and deleted the recovery key from the C: drive (Print to XPS/PDF, then delete the file afterwards).
Distinguished Expert 2019

Commented:
Unless the scammer was an idiot, there's nothing you can do. He will have chosen to set a recovery password (48-digit key) as sole protector and not an additional password which can be brute-forced, sooner or later. The recovery password cannot be brute forced with todays's computing powers.
Jason JohanknechtIT Manager

Author

Commented:
How legit is this M3 recovery software?
Most Valuable Expert 2013

Commented:
The scammers are usually working from a list of passwords on their screen that they simply cut and paste onto their victim's Bitlocker setup
You could try the brute force suggestion but normally you're dealing with a lengthy random combination of characters that only the "call centre" originating the scam hold and a directory/rainbow table attack is unlikely to succeed.  

TBH that's why Bitlocker gets used, it's a proven encryption method that resists cracking. And it's more fashionable than using SysKey ;)
Adam LeinssSystems Administrator

Commented:
Here you go: https://www.elcomsoft.com/efdd.html.

Elcomsoft is legit software.

It's only $599, except if it can't find the password, add another $599: Elcomsoft Distributed Password Recovery (https://www.elcomsoft.com/edpr.html)
Most Valuable Expert 2013

Commented:
Good thought but surely that's only going to work if the users computer has hibernation enabled?  The scammer will have removed any memory dump as part of the setup (unless they were silly enough to just encrypt the data partition).

Think they still provide a free trial though which will see if any Bitlocker keys can be recovered.

If you're in the US you may find it blacklisted as Elcomsoft is wholly owned Russian company (see Kaspersky issues) for use on any Federal machine but this one sounds like it's a home PC.
Adam LeinssSystems Administrator

Commented:
After I said "game over", the original requester was still asking for software to defeat BitLocker, so I gave him a legitimate solution, a $1200 solution that doesn't even count the amount of time you might spend running the solution and never recover the passcode.  This was already linked from btan to the M3 software (which included a link to the Elcomsoft software I mentioned).  The M3 software doesn't crack BitLocker, it only will help you recover data if your hard drive is failing and was BitLockered AND you have the Bitlocker recovery password.

A slight possibility and I do mean slight, is if the scammer saved the recovery key to the C: drive and then deleted it.  You could try recovering the deleted file with Recuva to a USB flash drive.  That's assuming the end user was watching and remembering what the scammer was doing, which itself is highly improbable.
Distinguished Expert 2019

Commented:
"You could try recovering the deleted file with Recuva" - not if c: is encrypted :-)
Well, it's no use debating - we don't know how the scammer proceeded, so usually, this is just worth trying if the data is extremely valuable.
Scott SilvaNetwork Administrator

Commented:
Chalk it up as education to the user that fell for the scam...
One of the reasons I try and train my users to not fall for the simple scams at least...
btanExec Consultant
Distinguished Expert 2019

Commented:
Those software mentioned so far like ME or Elcomsoft (as well as those in the link shared) are considered forensic tool. So not sure what the author is concern of in term of legitimacy. If you are thinking if there is any malicious codes or backdoor, it shouldn't be and you need to give that benefit of doubt since you are stuck anyway to even sort to cracking the password.

The data and HDD belongs to the owner. If the bitlocker protection is tied to the TPM then you have lesser chance if you are thinking to take out the HDD for analysis.
Scott SilvaNetwork Administrator

Commented:
Bitlocker recovery is an expensive project, and if the data isn't worth it, I would just blow it away and move on... There isn't any legitimate and inexpensive tools available that I know of...
Jason JohanknechtIT Manager

Author

Commented:
The end user is 80 years old, and doesn't remember any more details.  As I stated originally, the data has no value.  This is an opportunity for testing bitlocker recovery.  The M3 site is very basic template layout, and cautious not to infect business computers over testing and recovery for residential computer.  Thanks to everyone for the great responses.
Jason JohanknechtIT Manager

Author

Commented:
New bitlocker PC, I was able to restore the system to a date in December and everything is working fine now.  I have just started scanning the system for malware.  So far Norton full scan produced no detections.  The pop-up scammer message with 800 # to call no longer exists, nor does the system shut down.  I have not checked if Bitlocker is still active yet.  This computer did boot into Windows, but would launch the 800# and if you closed it, the system would shutdown in 2 minutes.  When attempting to scan the drive externally, is where it detected bitlocker HDD encryption.  This is different from the other bit locker locked drives I have seen, as access in Windows was still working.  They did allow task manager, but most controls in Windows were locked out due to a undetermined virus/malware.
Joe WinogradDeveloper
Fellow 2017
Most Valuable Expert 2018

Commented:
The end user is 80 years old, and doesn't remember any more details.
Just curious...do you think the first part of that sentence is related to the second part?
IT Manager
Commented:
Using system restore to an earlier date has resolved the issue on 1 bit locker PC, but others remain locked.
Jason JohanknechtIT Manager

Author

Commented:
Yes, Joe... I do believe they go hand in hand.  LOL