Bitdefender has released a free decryptor for ShrinkLocker ransomware, which exploits Windows BitLocker to encrypt systems. Discover all about the techniques used by attackers and the free decryptor tool released by Bitdefender to help victims recover their data.
Cybersecurity researchers at Bitdefender have discovered a new type of ransomware called ShrinkLocker, and a subsequent solution to combat this threat. The new threat was identified in May 2024, written in VBScript, and 70% of its code is hard-coded to be “only executed on legacy systems like Windows 7/8 or Windows Server 2008/2012,” researchers noted in the report shared with Hackread.com ahead of its publishing.
Unlike modern ransomware that relies on complex encryption algorithms, ShrinkLocker employs a unique approach to manipulating Windows BitLocker configurations to encrypt system drives. This is a more straightforward route to compromise devices.
What happens is that it first checks for the presence of BitLocker and, if absent, installs it. Then, it re-encrypts the system using a randomly generated password, known only to the attacker. This password is then uploaded to a server controlled by the adversary, rendering the system inaccessible to the victim. The attacker then demands a ransom to provide the decryption key.
Bitdefender researchers analyzed a ShrinkLocker attack on a Middle Eastern healthcare company where the attackers gained access to an unmanaged system. on an Active Directory domain controller, creating text files and initiating a remote session.
According to the company’s blog post, two scheduled tasks were executed under the SYSTEM context, ensuring widespread deployment of the ransomware. They successfully encrypted systems running various operating systems, including Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019.
What makes ShrinkLocker particularly concerning is its capability to compromise entire networks with minimal effort. By exploiting Group Policy Objects (GPOs) and scheduled tasks, it can encrypt multiple systems within a network in as little as 10 minutes per device. This simplicity makes it an attractive option for individual threat actors who may not be part of larger ransomware-as-a-service (RaaS) operations.
Free ShrinkLocker Ransomware Decryptor
However, Bitdefender Labs researchers have found a window of opportunity for full data recovery immediately after the ransomware removed protectors from BitLocker-encrypted disks. Their in-depth analysis led to the development of a free decryptor, now available to the public.
The decryptor offers a lifeline to victims of past ShrinkLocker attacks, enabling them to regain access to their encrypted data. By providing a practical solution, which has, thus far, saved an estimated $1.6 billion in ransom fees. Bitdefender Labs has demonstrated its commitment to combating cyber threats and safeguarding digital assets.
It is noteworthy that ShrinkLocker uses a Windows feature, BitLocker, to encrypt entire drives, including system drives. Therefore, proactive monitoring of Windows event logs can help organizations identify and respond to BitLocker attacks, especially during the early stages when attackers are testing their encryption capabilities. Tracking events from the “Microsoft-Windows-BitLocker-API/Management” source can also help.
RELATED TOPICS
- Free Decryptor for LockerGoga Ransomware Victims
- Universal decryptor key for REvil ransomware released
- How to decrypt data from Hakbit, Jigsaw ransomware for free
- Man Hacks Attacker, Releases Mushtik Ransomware Decryption Keys
- Kransom Ransomware Poses as a Game, Attacks via DLL Side-Loading