BitLocker exploited by new ransomware named ShrinkLocker
Windows BitLocker has once again been manipulated for malicious activities. Renowned security analysts from Kaspersky Lab uncovered a new ransomware called ShrinkLocker which misuses BitLocker to encrypt data on targeted devices. The malefactors employed this ransomware to attack IT infrastructures of companies and government institutions in Mexico, Indonesia, and Jordan.
The malicious operation of ShrinkLocker
The malicious parties utilize a harmful VBScript, a scripting language for automating tasks on Windows devices. The script checks for the version of the operating system (OS) in use, running BitLocker on PCs using platform versions from Vista or Windows Server 2008 onwards. However, if the script detects an older OS version, it will simply uninstall itself from the device.
The malevolent script subsequently shrinks all storage partitions by 100 megabytes (MB), utilizing the freed space to create a new boot partition – an activity that led to the ransomware being named ShrinkLocker. The device data is then encrypted using BitLocker, generating a new 64-character encryption key that is sent to the culprits along with other victim PC information. Once the encryption is complete, the computer reboots, loading the OS from the newly created partition and completely blocking victim access to stored information. The new boot partition is then renamed to the hacker’s email address for the victims to possibly negotiate ransom and restoration of device functionality.
The distinct operation of ShrinkLocker
The report indicates that the author of ShrinkLocker likely has comprehensive knowledge of Windows internal functions and utilities. Kaspersky Lab’s experts, however, could not determine from where the attacks using the new malware are conducted or where the victim data is sent. ShrinkLocker has only been identified on a single PC that didn’t have BitLocker installed. The experts believe that the nature of these attacks suggests the culprits may be more focused on disrupting functionality and destroying data than collecting ransom.
Recommended preventive measures
To protect against such attacks, it is recommended to regularly create backup copies. There should also be restrictions on user editing rights to prevent alterations to BitLocker or registry settings from user accounts. In addition, utilizing advanced security solutions capable of tracking suspicious activity and protecting the IT infrastructure is suggested.
