ShrinkLocker Uses Windows BitLocker Utility To Infect Computers


Hackers exploit the Windows BitLocker tool, as this utility offers a very powerful tool for selectively encrypting access to the system or data, which helps lock users out.                                                   

Attackers can use BitLocker to encrypt the victim’s files, making them inaccessible without the key. Then, they ask for money before revealing the key.

Then, they ask for money before revealing the key, which completely acts as ransomware.

Kaspersky analysis of “ShrinkLocker” cleverly leverages Windows’ built-in BitLocker full-disk encryption to lock victims out of their data.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan 

ShrinkLocker Windows BitLocker

After encrypting local drives, it shrinks drive partitions by 100MB to create its own boot partition, disables BitLocker recovery keys, and sends the encryption key to attackers. 

On reboot, victims see the standard BitLocker password prompt but cannot access their system, with drive labels changed to the attacker’s email ransom address instead of a typical ransom note.

ShrinkLocker Uses Windows BitLocker Utility To Infect Computers
ShrinkLocker has blocked access to the drive with BitLocker (Source – Kaspersky)

ShrinkLocker is a complex VBScript ransomware program that is used to gather information on OS versions, prepare drives by decreasing the size of partitions, and change the Windows registry so that BitLocker is encrypted as specified by an attacker.

Additionally, it disables recovery keys, enables password protector for these keys, generates a password that will be used in encrypting the drive, and then uses it in encrypting the drive.

The next step is sending this password and system data back to the attacker’s C2 server through the Cloudflare subdomain, erasing itself from compromised computer systems, including clearing all logs and restarting them so that victims are left at the BitLocker prompt with no way to retrieve their files.

The attacks have already been reported in Indonesia, Jordan, and Mexico.

Recommendations

Here below we have mentioned all the recommendations:-

  • Implement the least privilege, restricting the ability to modify the registry or enable full-disk encryption.
  • Enable HTTP POST request logging for traffic monitoring and potential password and key exfiltration detection.
  • Monitor and log VBS and PowerShell activity, and store externally as malware may delete logs.
  • Regularly back up data to offline.
  • Use reliable endpoint security solutions.
  • Utilize EDR to monitor and respond to suspicious endpoint activity.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free



Source link