Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims

Summary:
Romanian cybersecurity company Bitdefender has developed a free decryptor for ShrinkLocker ransomware victims, offering a way to recover data encrypted by the malware. This decryptor was created after Bitdefender analyzed ShrinkLocker’s mechanisms and identified a recovery opportunity right after the removal of BitLocker protectors. ShrinkLocker, first detected by Kaspersky in May 2024, exploits Microsoft’s BitLocker to encrypt files, impacting victims in Mexico, Indonesia, and Jordan. In one case investigated by Bitdefender, the ransomware spread from a contractor’s device to a Middle Eastern healthcare company, highlighting the growing trend of supply chain infiltration.


The attack progressed by using legitimate credentials to access an Active Directory domain controller, followed by two scheduled tasks: one to distribute the ransomware via VBScript across networked machines and another to execute it. ShrinkLocker’s unique approach uses BitLocker encryption rather than its own algorithm and leverages system-specific data to generate a random encryption password, which is then uploaded to the attacker’s server.


Security Officer Comments:
Bitdefender noted a bug in the VBScript that can halt the ransomware if a reboot fails, potentially disrupting the attack. ShrinkLocker also modifies system settings to limit remote access, disable firewalls, and remove audit logs. The ransomware’s name is misleading as it doesn’t actually shrink partitions on newer systems, and it can encrypt a network in minutes through Group Policy Objects.


Suggested Corrections:
Decryptor tool and directions:

  1. Download the decryption tool from https://download.bitdefender.com/am/malware_removal/BDShrinkLockerUnlocker.exe
  2. Turn on your computer and wait for the BitLocker recovery screen to appear. When prompted for the BitLocker recovery key, press Esc to enter BitLocker Recovery Mode.
  3. On the BitLocker Recovery screen, select "Skip this drive".
    • Choose "Troubleshoot" and then "Advanced options". ]
    • Select "Command Prompt" from the advanced options menu.
  4. Ensure you have the BDShrinkLockerUnlocker.exe file prepared. You can transfer it to a USB drive and plug it into your computer. In the command prompt, navigate to the drive letter where the decryptor is located (e.g., D:\).
  5. . Type the following command and press Enter: D:\BDShrinkLockerUnlocker.exe
    • Note: You can disconnect the USB drive after launching the decryptor.
  6. The decryption process can take some time, depending on your system's hardware and the complexity of the encryption. Please be patient. Once the decryption is complete, decryptor will automatically unlock the drive and disable smart card authentication.
  7. After rebooting, your computer should start normally.

Bitdefender also recommends the following mitigations:
  • Proactive monitoring of specific Windows event logs can help organizations identify and respond to potential BitLocker attacks, even in their early stages, such as when attackers are testing their encryption capabilities. Specifically, tracking events from the "Microsoft-Windows-BitLocker-API/Management" source, particularly those with event IDs 776 (protectors removal) and 773 (BitLocker suspension).
  • While this monitoring can help in detection, there is also Group Policy configuration that can act as a proactive prevention. By configuring BitLocker to store recovery information in Active Directory Domain Services (AD DS) and enforcing the policy "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives," organizations can significantly reduce the risk of BitLocker-based attacks.
  • The policy "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives" ensures that BitLocker encryption cannot be started unless the necessary recovery information is securely stored in Active Directory. This prevents unauthorized encryption attempts, as the attacker would need to both encrypt the drive and locate and remove the recovery information from AD.
Note: Please note that this policy should be implemented and evaluated carefully, following established change management best practices. It's important to consider that threat actors can identify and disable this policy before launching an attack. Nevertheless, this measure serves as a valuable deterrent, particularly against less sophisticated attackers, and can provide defenders with additional opportunity and time to respond and mitigate the impact of an attack.

Link(s):
https://thehackernews.com/2024/11/free-decryptor-released-for-bitlocker.html

https://www.bitdefender.com/en-us/b...r-decryptor-from-friend-to-foe-and-back-again