The new ShrinkLocker ransomware uses BitLocker to encrypt your files

Windows logo locked

Windows logo locked

A new strain of ransomware called ShrinkLocker creates a new boot partition to encrypt corporate systems using Windows BitLocker.

ShrinkLocker, so named because it creates boot volume by shrinking available non-boot partitions, has been used to attack a government agency and companies in the vaccine and manufacturing sectors.

Create new boot volumes

Ransomware that uses BitLocker to encrypt computers is not new. A threat actor used the security feature in Windows to encrypt 100 TB of data on 40 servers at a hospital in Belgium. Another attacker used it to encrypt the systems of a Moscow-based meat producer and distributor.

In September 2022, Microsoft warned that an Iranian state-sponsored attacker was using BitLocker to encrypt systems running Windows 10, Windows 11, or Windows Server 2016 and newer.

However, Kaspersky says that ShrinkLocker comes “with previously unreported features to maximize the damage of the attack.”

ShrinkLocker is written in Visual Basic Scripting (VBScript), a language that Microsoft introduced in 1996 and is now on a deprecation path – available as a feature-on-demand starting in Windows 11, version 24H2 (currently in release preview phase).

One of the options is to detect the specific Windows version running on the target computer using Windows Management Instrumentation (WMI) with the Win32_OperatingSystem class.

The attack will only proceed if specific parameters are met, such as the current domain matching the target and an operating system (OS) version newer than Vista. Otherwise, ShrinkLocker will automatically complete and uninstall itself.

If the target meets the requirements for the attack, the malware uses the diskpart utility in Windows to shrink each non-bootable partition by 100 MB and split the unallocated space into new primary volumes of the same size.

ShrinkLocker code for resizing partitions
ShrinkLocker creates 100 MB partitions
source: Kaspersky

Kaspersky researchers say that the ShrinkLocker ransomware in Windows 2008 and 2012 first saved the boot files, along with the index of the other volumes.

The same resizing operations are performed on other Windows OS versions, but with a different piece of code, the researchers explain in their technical analysis.

The malware then uses the command-line utility BCDEdit to reinstall the boot files onto the newly created partitions.

ShrinkLocker code for reinstalling boot files
ShrinkLocker reinstalls boot files on new partitions
source: Kaspersky

Lock out users

ShrinkLocker also modifies registry entries to disable remote desktop connections or enable BitLocker encryption on hosts without a Trusted Platform Module (TPM) – a special chip that provides hardware-based, security-related features.

Through dynamic malware analysis, Kaspersky researchers were able to confirm that the malware made the following registry changes:

  • fDenyTSConnections = 1: Disables RDP connections
  • scforceoption = 1: Enforces smart card authentication
  • UseAdvancedStartup = 1: Requires the use of the BitLocker PIN for pre-boot authentication
  • Enable BDEWithNoTPM = 1: Allows BitLocker without a compatible TPM chip
  • UseTPM = 2: Allows the use of TPM, if available
  • UseTPMPIN = 2: Allows the use of a boot PIN with TPM, if available
  • UseTPMKey = 2: Enables the use of a boot key with TPM, if available
  • UseTPMKeyPIN = 2: Enables the use of a boot key and PIN with TPM, if available
  • EnableNonTPM = 1: Enables BitLocker without a compatible TPM chip, requires a password or boot key on a USB flash drive
  • UsePartialEncryptionKey = 2: Requires the use of a boot key with TPM
  • Use PIN code = 2: Requires the use of a boot PIN with TPM

The threat actor behind ShrinkLocker does not leave a ransom file to establish a communication channel with the victim. Instead, they provide a contact email address (onboardingbinder[at]proton[dot]me, conspiracy9[at]protonmail[dot]com) as the label of the new boot partitions.

However, this label won’t be seen by administrators unless they boot the device using a recovery environment or through other diagnostic tools, making it quite easy to miss.

ShrinkLocker email contact used for the boot volume name
ShrinkLocker email contact used for the boot volume name
source: Kaspersky

After encrypting the drives, the threat actor removes the BitLocker protections (e.g. TPM, PIN, boot key, password, recovery password, recovery key) to deny the victim any option to recover the BitLocker encryption key sent to the attacker.

The key generated for encrypting files is a combination of 64 characters of random multiplication and replacement of a variable with 0-9 digits, special characters and the holoalphabetic phrase “The quick brown fox jumps over the lazy dog.”

The key is provided via the TryCloudflare tool, a legitimate service that allows developers to experiment with CloudFlare’s Tunnel without adding a site to CloudFlare’s DNS.

In the final phase of the attack, ShrinkLocker forces the system to shut down for all changes to take effect, leaving the user with their drives locked and no BitLocker recovery options.

ShrinkLocker leaves no recovery options after BitLocker encryption
ShrinkLocker leaves no recovery options after BitLocker encryption
source: Kaspersky

BitLocker allows you to create a custom message on recovery screens, which would have been a perfect place to display an extortion message to victims.

The lack of an easily visible ransom note and an email simply left as a disk label could indicate that these attacks are destructive in nature rather than for financial gain.

Kaspersky found that ShrinkLocker has multiple variants and has been used against a government agency and organizations in the steel and vaccine manufacturing industries in Mexico, Indonesia and Jordan.

Cristian Souza, incident response specialist at Kaspersky Global Emergency Response Team, says companies using BitLocker on their systems should ensure secure storage of recovery keys and make regular backups that are stored and tested offline.

Additionally, it is recommended that organizations use a properly configured Endpoint Protection Platforms (EPP) solution to detect BitLocker exploit attempts, enable minimum privileges for users, enable logging and monitoring of network traffic (both GET and POST requests), track events related to VBS and PowerShell execution and log related scripts.

Leave a Reply

Your email address will not be published. Required fields are marked *