Here’s more ransomware using BitLocker against Microsoft’s own users

Even more ransomware uses Microsoft BitLocker to encrypt company files, steal the decryption key and then extort a payment from the victim organizations, Kaspersky said.

The antivirus maker’s Global Emergency Response team discovered the malware, called ShrinkLocker, in Mexico, Indonesia and Jordan, and said the code’s unnamed operators targeted steel and vaccine manufacturing companies, plus a government agency.

Criminals, including ransomware gangs, using legitimate software tools are nothing new: hello, Cobalt Strike. And Microsoft previously said that Iranian miscreants had abused Windows’ built-in BitLocker full-volume encryption feature to lock down compromised devices. We can recall other forms of extortionware that use BitLocker on infected machines to encrypt data and hold it for ransom.

However, with ShrinkLocker “the adversary took additional steps to maximize the damage of the attack and hinder an effective response to the incident,” Kasperky threat hunters Cristian Souza, Eduardo Ovalle, Ashley Muñoz and Christopher Zachor said in a study published Thursday published. The article provides technical details for detecting and blocking ShrinkLocker variants.

The register has reached out to Redmond for comment and will update this story if and when we hear back.

Ransomware attacks hospital security professionals as people admit to suicidal feelings


Once they have executed code on a victim’s machine, the data thieves deploy ShrinkLocker, which uses VBScript to examine Windows Management Instrumentation to determine the operating system version. It does this so that it selects the appropriate steps for whatever Microsoft operating system is running, allowing it to extort current systems as well as systems dating back to Windows Server 2008.

As for these steps, the script performs disk resizing operations (this is the “Shrink” part of ShrinkLocker) on fixed rather than network drives (presumably to minimize detection), adjusts partition and boot settings , causes BitLocker to be active, and ultimately encrypts the computer’s storage. See the Kaspersky report for how that works specifically for each version of Microsoft’s operating systems.

Furthermore, the malware changes the label of the partitions to the extortionists’ email address, allowing the victim to contact the crooks.

After sending the decryption key needed to access the encrypted drives to a server controlled by the criminals, the malware deletes the key locally, destroying the user’s recovery options along with system logs that can help network defenders make it easier to detect or analyze the attack.

Finally, the affected system shuts down and displays the BitLocker screen with the message: “There are no more BitLocker recovery options on your PC.” Game is over.

In addition to listing ShrinkLocker’s indicators of compromise and suggesting that organizations use managed detection and response products to look for threats, Kaspersky recommends that companies take steps to avoid falling victim to these ransomware infections.

This includes restricting user rights so that they cannot enable encryption features or modify registry keys. And if you have BitLocker enabled, use a strong password and keep the recovery keys safe.

Also monitor VBScript and PowerShell execution events and log as much critical system activity as possible to a remote repository that cannot be deleted locally.

Additionally, regularly backup systems and files, store them offline, and be sure to test them to ensure they are recoverable in the event of ransomware or other security issue. ®

PS: Still feeling good about that Windows Recall and the encrypted snapshots?

Leave a Reply

Your email address will not be published. Required fields are marked *