Bitlocker ransomware

Ideally if the password is simple then you can try a few since you are no worst off. Otherwise there are three Bitlocker password brute-force cracking tools which can recover lost Bitlocker password by running a attack. Catch the link.

https://www.m3datarecovery.com/bitlocker-drive-data-recovery/unlock-bitlocker-without-password-recovery-key.html#s2

If it's Bitlockered, it's game over.  The scammer probably enabled BitLocker and set his own protector password and deleted the recovery key from the C: drive (Print to XPS/PDF, then delete the file afterwards).

Unless the scammer was an idiot, there's nothing you can do. He will have chosen to set a recovery password (48-digit key) as sole protector and not an additional password which can be brute-forced, sooner or later. The recovery password cannot be brute forced with todays's computing powers.

How legit is this M3 recovery software?

The scammers are usually working from a list of passwords on their screen that they simply cut and paste onto their victim's Bitlocker setup
You could try the brute force suggestion but normally you're dealing with a lengthy random combination of characters that only the "call centre" originating the scam hold and a directory/rainbow table attack is unlikely to succeed.  

TBH that's why Bitlocker gets used, it's a proven encryption method that resists cracking. And it's more fashionable than using SysKey ;)

Here you go: https://www.elcomsoft.com/efdd.html.

Elcomsoft is legit software.

It's only $599, except if it can't find the password, add another $599: Elcomsoft Distributed Password Recovery (https://www.elcomsoft.com/edpr.html)

Good thought but surely that's only going to work if the users computer has hibernation enabled?  The scammer will have removed any memory dump as part of the setup (unless they were silly enough to just encrypt the data partition).

Think they still provide a free trial though which will see if any Bitlocker keys can be recovered.

If you're in the US you may find it blacklisted as Elcomsoft is wholly owned Russian company (see Kaspersky issues) for use on any Federal machine but this one sounds like it's a home PC.

After I said "game over", the original requester was still asking for software to defeat BitLocker, so I gave him a legitimate solution, a $1200 solution that doesn't even count the amount of time you might spend running the solution and never recover the passcode.  This was already linked from btan to the M3 software (which included a link to the Elcomsoft software I mentioned).  The M3 software doesn't crack BitLocker, it only will help you recover data if your hard drive is failing and was BitLockered AND you have the Bitlocker recovery password.

A slight possibility and I do mean slight, is if the scammer saved the recovery key to the C: drive and then deleted it.  You could try recovering the deleted file with Recuva to a USB flash drive.  That's assuming the end user was watching and remembering what the scammer was doing, which itself is highly improbable.

"You could try recovering the deleted file with Recuva" - not if c: is encrypted :-)
Well, it's no use debating - we don't know how the scammer proceeded, so usually, this is just worth trying if the data is extremely valuable.

Chalk it up as education to the user that fell for the scam...
One of the reasons I try and train my users to not fall for the simple scams at least...

Those software mentioned so far like ME or Elcomsoft (as well as those in the link shared) are considered forensic tool. So not sure what the author is concern of in term of legitimacy. If you are thinking if there is any malicious codes or backdoor, it shouldn't be and you need to give that benefit of doubt since you are stuck anyway to even sort to cracking the password.

The data and HDD belongs to the owner. If the bitlocker protection is tied to the TPM then you have lesser chance if you are thinking to take out the HDD for analysis.

Bitlocker recovery is an expensive project, and if the data isn't worth it, I would just blow it away and move on... There isn't any legitimate and inexpensive tools available that I know of...

The end user is 80 years old, and doesn't remember any more details.  As I stated originally, the data has no value.  This is an opportunity for testing bitlocker recovery.  The M3 site is very basic template layout, and cautious not to infect business computers over testing and recovery for residential computer.  Thanks to everyone for the great responses.

New bitlocker PC, I was able to restore the system to a date in December and everything is working fine now.  I have just started scanning the system for malware.  So far Norton full scan produced no detections.  The pop-up scammer message with 800 # to call no longer exists, nor does the system shut down.  I have not checked if Bitlocker is still active yet.  This computer did boot into Windows, but would launch the 800# and if you closed it, the system would shutdown in 2 minutes.  When attempting to scan the drive externally, is where it detected bitlocker HDD encryption.  This is different from the other bit locker locked drives I have seen, as access in Windows was still working.  They did allow task manager, but most controls in Windows were locked out due to a undetermined virus/malware.

The end user is 80 years old, and doesn't remember any more details.

Just curious...do you think the first part of that sentence is related to the second part?

Yes, Joe... I do believe they go hand in hand.  LOL