New Shrinklocker Ransomware Uses Bitlocker to Encrypt Your Files
Summary:
ShrinkLocker is a newly identified ransomware strain that encrypts corporate systems through Windows BitLocker by creating a new boot partition. Targeting sectors such as government, vaccine, and manufacturing, ShrinkLocker operates by shrinking non-boot partitions to form a new boot volume. Unlike previous ransomware, ShrinkLocker is designed with advanced features to maximize its destructive capability. Written in VBScript, the ransomware identifies the specific Windows version running on the target machine and proceeds with the attack only if certain conditions are met. If the target matches the criteria, ShrinkLocker uses the diskpart utility to shrink non-boot partitions and create new primary volumes of the same size.vThe ransomware then reinstalls boot files on these newly created partitions using the BCDEdit command-line tool.
Security Officer Comments:
Additionally, it modifies registry settings to disable remote desktop connections and enable BitLocker encryption on systems without a Trusted Platform Module TPM. Instead of dropping a ransom file, ShrinkLocker provides contact emails in the new boot partition label, which is challenging for administrators to detect. After encryption, the ransomware deletes BitLocker protectors, making recovery impossible. Kaspersky has discovered multiple variants of ShrinkLocker used against various organizations, including government entities and industries in Mexico, Indonesia, and Jordan.
Suggested Corrections:
Companies are encouraged to use BitLocker or other encryption tools (such as VeraCrypt) to protect corporate secrets. However, a few precautions must be taken to avoid the abuse by attackers.
- Use robust, properly configured EPP solution to detect threats that try to abuse BitLocker;
- Implement Managed Detection and Response (MDR) to proactively scan for threats;
- If BitLocker is enabled, make sure you are using a strong password and have the recovery keys stored in a secure location;
- Ensure that users have only minimal privileges. This way, they cannot enable encryption features or change registry keys on their own;
- Enable network traffic logging and monitoring. Configure the logging of both GET and POST requests. In case of infection, the requests made to the attacker’s domain may contain passwords or keys;
- Monitor for events associated with VBS execution and PowerShell, and save the logged scripts and commands to an external repository storing activity that may be deleted locally;
- Make backups frequently, store them offline, and test them.
Link(s):
https://www.bleepingcomputer.com/ne...somware-uses-bitlocker-to-encrypt-your-files/