What Is ShrinkLocker? New Ransomware Targets Microsoft BitLocker Encryption Feature


< img src="https://assets.techrepublic.com/uploads/2024/05/tr_20240530-bitlocker-ransomware-shrinklocker.jpg" alt =""> A brand-new pressure of ransomware called ShrinkLocker is being used by cyberattackers to target business computers. It exploits the Microsoft BitLocker encryption feature to encrypt the whole regional drive and get rid of the recovery options before closing down the PC. ShrinkLocker was found by cybersecurity firm Kaspersky, and experts have actually observed variants in Mexico, Indonesia and Jordan.

BitLocker has actually been utilized to stage ransomware attacks in the past, but this pressure has “formerly unreported functions to increase the damage of the attack,” Kaspersky stated in a press release. ShrinkLocker is special because it can inspect the version of a gadget’s Windows operating system to ensure it makes it possible for the appropriate BitLocker functions, but deletes itself if it can’t.

Cristian Souza, occurrence response expert at Kaspersky Global Emergency Reaction Group, stated in the press release, “What is especially concerning about this case is that BitLocker, originally designed to reduce the threats of information theft or direct exposure, has been repurposed by adversaries for destructive ends. It’s a harsh paradox that a security measure has actually been weaponized in this way.”

Who is susceptible to ShrinkLocker attack?

Business in steel and vaccine manufacturing, along with a federal government entity, have been targeted with ShrinkLocker up until now. However, Souza informed TechRepublic there “is no proof to believe that this group is targeting specific markets,” as victims are from different countries and sectors.

BitLocker is currently only readily available on the Pro, Enterprise, Education and Ultimate editions of Windows running systems, however it will be included and immediately activated in all variations with the release of Windows 11 24H2 later this year. This significantly increases the possible scope of ShrinkLocker victims.

“Infections by ShrinkLocker can be vital if the victim does not have adequate proactive and reactive procedures in location,” Souza included. “Because BitLocker is a native Windows function, any maker with Windows Vista+ or Server 2008+ could be affected.”

How does ShrinkLocker work?

Although ShrinkLocker self-deletes after encrypting the target, Kaspersky analysts had the ability to find how it works by studying a script left on a drive on a PC that was contaminated however did not have BitLocker set up.

Attackers might release ShrinkLocker on a gadget by making use of unpatched vulnerabilities, stolen qualifications or internet-facing services to gain access to servers. A user might likewise unintentionally download the script, for example, through a link in a phishing e-mail.

“As soon as they have access to the target system, the attacker can attempt to exfiltrate info and finally perform the ransomware to secure the data,” Souza told TechRepublic.

When the script is triggered, it uses Windows Management Instrumentation extensions and the Win32_OperatingSystem class to query info about the device’s os and domain. If the gadget runs on Windows XP, 2000, 2003 or Vista, or the existing domain of the queried things does not match the target, the script erases itself.

SEE: Exists a basic method to recuperate encrypted BitLocker drives?

Nevertheless, if the PC is utilizing Windows 2008 or earlier, the script will proceed to resizing its regional fixed drives. It shrinks non-boot partitions by 100MB to develop unallocated disk space, which is why it has been dubbed ShrinkLocker. New primary partitions are created in the unallocated area, and the boot files are re-installed so the system can be rebooted with the encrypted files by the victim.

Disk resizing operations performed by the script in Windows Server 2008 and 2012. Disk resizing operations performed by the script in Windows Server 2008 and 2012. Image: Kaspersky Next, the script customizes Windows registry entries to disable Remote Desktop Procedure connections and impose BitLocker settings like PIN requirements. It then renames the boot partitions with the aggressor’s e-mail– onboardingbinder [at] proton [dot] me or conspiracyid9 [at] protonmail [dot] com– and changes existing BitLocker essential protectors to prevent healing.

ShrinkLocker develops a brand-new 64-character encryption secret using the random multiplication and replacement of the following aspects:

  • A variable with the numbers no to 9.
  • The pangram “The quick brown fox jumps over the lazy pet,” which contains every letter of the English alphabet, in lowercase and uppercase.
  • Unique characters.

It then allows BitLocker encryption on all of the device’s drives. ShrinkLocker only encrypts the regional, fixed drive of the contaminated PC and does not infect network drives most likely to assist avert detection.

The 64-character key and some system details are sent out to the enemy’s server by means of an HTTP POST request to a randomly created subdomain of ‘trycloudflare [dot] com.’ This is a legitimate domain from CloudFlare that is intended to be utilized by designers for testing out CloudFlare Tunnel without adding a site to CloudFlare’s DNS. The aggressors exploit it here to conceal their genuine address.

Lastly, ShrinkLocker self-deletes its script and scheduled tasks, clears the logs, switches on the firewall program and deletes all the guidelines before requiring a shutdown. When the user restarts the device, they are presented with the BitLocker healing screen without any healing options available– all the PC’s information is encrypted, locked and out of reach.

When the user reboots a device infected with ShrinkLocker, they are presented with the BitLocker recovery screen with no recovery options available. When the user reboots a gadget contaminated with ShrinkLocker, they are presented with the BitLocker healing screen with no recovery choices offered. Image: Kaspersky The brand-new drive labels Attacker's email as a drive label.with the enemy’s email instruct the user to contact them, indicating a ransom need for the decryption key. Attacker’s email as a drive label. Image: Kaspersky In a technical analysis, Kaspersky analysts describe both the detection of a ShrinkLocker attack and the decryption procedure as”tough.”The latter is particularly difficult because the malicious script includes variables that are different for each affected system.

Must-read security protection

Who is accountable for the ShrinkLocker attacks?

Kaspersky professionals have, up until now, not had the ability to recognize the source of the ShrinkLocker attacks or where the decryption keys and other device information are sent out. Nevertheless, some info about the aggressors can be obtained from the malware script.

The experts said that the script, written in VBScript, “demonstrates that the malicious actor(s) associated with this attack have an outstanding understanding of Windows internals.”

The labels consisting of the aggressor’s e-mail address can just be viewed if the infected device is booted by an admin in a healing environment or with diagnostic tools, according to BleepingComputer. Furthermore, the BitLocker recovery screen can have a customized note included, yet the assailants particularly selected not to produce one.

The fact that the assailants appear to have deliberately made it challenging to call them recommends their intentions are disruption and damage instead of financial gain.

“For now, we understand we are dealing with a really proficient group,” Souza informed TechRepublic. “The malware we were able to evaluate programs that the assaulters have a deep understanding of the os’s internals and different living-off-the-land tools.”

How can companies protect themselves against ShrinkLocker?

Kaspersky provides the following suggestions to businesses wanting to protect their devices from the ShrinkLocker infection:

  • Use robust, effectively configured endpoint protection platforms to spot possible destructive activity before encryption.
  • Implement handled detection and reaction to proactively scan for dangers.
  • Ensure BitLocker has a strong password and the healing secrets are saved in a secure place.
  • Limit user privileges to the minimum needed to do their task. In this manner, no unauthorised workers can make it possible for encryption functions or change registry secrets on their own.
  • Enable network traffic logging and keeping track of, capturing both GET and publish demands, as contaminated systems may transmit passwords or secrets to assaulter domains.
  • Monitor for VBScript and PowerShell execution events, saving logged scripts and commands to an external repository to retain activity even if regional records are deleted.
  • Make backups regularly, keep them offline and check them.

How has BitLocker been targeted in the past?

BitLocker has been targeted by bad actors various times in the past, well before the introduction of ShrinkLocker. In 2021, a healthcare facility in Belgium had 40 servers and 100 TB of its information encrypted after an attacker made use of BitLocker, causing delays in surgical treatments and the redirection of clients to other facilities.

The following year, another enemy targeted among Russia’s largest meat providers in the exact same method, before Microsoft reported the Iranian federal government had actually sponsored a number of BitLocker-based ransomware attacks that demanded thousands of U.S. dollars for the decryption key.


Leave a Reply

Your email address will not be published. Required fields are marked *