Tech | Visa | Scholarship/School | Info Place

What is ShrinkLocker? New ransomware targets Microsoft BitLocker encryption feature

Cyber ​​attackers are using a new ransomware strain called ShrinkLocker to attack corporate computers. It exploits Microsoft BitLocker encryption to encrypt entire local drives and remove recovery options before shutting down the PC. Cybersecurity firm Kaspersky discovered ShrinkLocker, and analysts have found variants in Mexico, Indonesia, and Jordan.

BitLocker has been used to launch ransomware attacks in the past, but this strain “has previously unreported capabilities that maximize the destructive power of an attack,” Kaspersky said in a press release. ShrinkLocker is unique in that it checks a device’s Windows operating system version to ensure it has the appropriate BitLocker features enabled, but deletes itself if that’s not possible.

“What’s particularly concerning about this case is that BitLocker, which was designed to reduce the risk of data theft or leakage, was used by an adversary for malicious purposes,” Christian Sosa, incident response expert at Kaspersky’s Global Emergency Response Team, said in the press release. “It is a cruel irony that a security measure has been weaponized in this way.”

Who is vulnerable to ShrinkLocker attacks?

Steel and vaccine manufacturing companies, as well as government agencies, have been targeted by ShrinkLocker so far. However, Souza told TechRepublic that there is “no evidence that the group is targeting specific industries” because the victims come from a variety of countries and industries.

BitLocker is currently only available in Professional, Enterprise, Education, and Ultimate editions of the Windows operating system, but with the release of Windows 11 24H2 later this year, it will be included in all editions and automatically activated. This greatly increases the potential range of ShrinkLocker victims.

“A ShrinkLocker infection can be very serious if the victim does not take adequate proactive and reactive measures,” Souza added. “Since BitLocker is a native feature of Windows, any machine with Windows Vista+ or Server 2008+ can be affected.”

How does ShrinkLocker work?

Although ShrinkLocker deletes itself after encrypting its target, Kaspersky analysts discovered how it works by studying scripts left on the drives of infected PCs that didn’t have BitLocker configured.

An attacker could exploit an unpatched vulnerability, stolen credentials, or an internet-facing service to gain access to a server and deploy ShrinkLocker on a device. A user could also download the script unintentionally, such as through a link in a phishing email.

“Once they are inside the target system, the attackers attempt to steal information and ultimately execute ransomware to encrypt the data,” Souza told TechRepublic.

Once the script is triggered, it uses the Windows Management Instrumentation extension and the Win32_OperatingSystem class to query information about the device’s operating system and domain. If the device is running on Windows XP, 2000, 2003, or Vista, or if the current domain of the query object does not match the target, the script deletes itself.

See: Is there an easy way to recover an encrypted BitLocker drive?

However, if the PC is using Windows 2008 or earlier, the script will proceed to resize its local fixed drive. It will shrink the non-boot partition by 100MB to create unallocated disk space, which is why it is called ShrinkLocker. A new primary partition is created in the unallocated space and the boot files are reinstalled so that the victim can restart the system with the encrypted files.

Disk resizing operations performed by scripts in Windows Server 2008 and 2012.
Disk resizing performed by a script in Windows Server 2008 and 2012. Image credit: Kaspersky

Next, the script modifies Windows registry keys to disable Remote Desktop Protocol connections and enforce BitLocker settings such as PIN requirements. It then renames the boot partition with the attacker’s email address — onboardingbinder[at]Proton[dot]me or conspiracyid9[at]Proton Mail[dot]com — and replaces the existing BitLocker key protector to prevent recovery.

ShrinkLocker creates a new 64-character encryption key using random multiplication and substitution of the following elements:

  • A numeric variable from zero to nine.
  • The full-alphabetic sentence “The quick brown fox jumped over the lazy dog” contains all the letters of the English alphabet, both lowercase and uppercase.
  • Special characters.

It then enables BitLocker encryption on all drives of the device. ShrinkLocker only encrypts local fixed drives of the infected PC and does not infect network drives, which could help evade detection.

The 64-character key and some system information are sent to the attacker’s server via an HTTP POST request to “trycloudflare[dot]com. This is a legitimate CloudFlare domain designed for developers to test CloudFlare Tunnel without adding their site to CloudFlare’s DNS. The attacker used this domain to hide their real address.

Finally, ShrinkLocker deletes its scripts and scheduled tasks, clears logs, opens the firewall and deletes all rules, and then forces a shutdown. When users restart their devices, they see the BitLocker recovery screen with no recovery options available—all PC data is encrypted, locked, and inaccessible.

When users restart a ShrinkLocker-infected device, they see the BitLocker recovery screen with no recovery options available.
When users restart a ShrinkLocker-infected device, they see the BitLocker recovery screen, but no recovery options are available. Image: Kaspersky

New drive labels with the attackers’ emails instruct users to contact them, implicitly demanding a ransom for a decryption key.

The attacker's email serves as the drive label.
The attacker’s email serves as a drive label. Image credit: Kaspersky

In a technical analysis, Kaspersky analysts described both the detection and decryption process of the ShrinkLocker attack as “very difficult.” The latter is particularly difficult because the malicious script contains variables that are different for each affected system.

Who is responsible for the ShrinkLocker attack?

So far, Kaspersky experts have not been able to determine the source of the ShrinkLocker attacks, nor where the decryption keys and other device information are sent. However, some information about the attackers could be gleaned from the malware scripts.

The script, written in VBScript, “suggests that the malicious actors involved in this attack have a very deep understanding of Windows internals,” analysts said.

According to BleepingComputer, the label containing the attacker’s email address can only be viewed by an administrator when booting an infected device in a recovery environment or using a diagnostic tool. Additionally, the BitLocker recovery screen has the ability to add a custom note, but the attackers chose not to create one.

The attackers appeared to deliberately create a situation where contact was difficult, suggesting their motive was disruption and destruction rather than financial gain.

“At this point, we know we are dealing with a highly skilled group,” Sousa told TechRepublic. “The malware we were able to analyze showed that the attackers have a deep understanding of the internals of the operating system and various off-the-shelf tools.”

How can businesses protect themselves from ShrinkLocker?

Kaspersky offers the following advice for businesses looking to protect their devices from ShrinkLocker infection:

  • Use a strong and properly configured endpoint protection platform Detect potentially malicious activity before encryption.
  • Implement management detection and response Proactively scan for threats.
  • Ensure BitLocker has a strong password The recovery key is stored in a safe place.
  • Limiting User Rights Set it to the minimum necessary to get the job done. This way, unauthorized people cannot enable encryption or change registry keys on their own.
  • Enable network traffic logging and monitoringcapture GET and POST requests, as the infected system may transmit passwords or keys to the attacker domain.
  • Monitor VBScript and PowerShell execution eventssave recorded scripts and commands to an external repository, so that activities are preserved even if the local recording is deleted.
  • Back up frequentlystored offline and tested.

What attacks has BitLocker been subject to in the past?

BitLocker has been targeted by malicious attackers many times before ShrinkLocker appeared. In 2021, 40 servers and 100 TB of data at a Belgian hospital were encrypted after attackers exploited BitLocker, causing surgeries to be delayed and patients to be transferred to other institutions.

The following year, another attacker used the same method to attack one of Russia’s largest meat suppliers. Then, Microsoft reported that the Iranian government sponsored multiple BitLocker-based ransomware attacks, demanding thousands of dollars in payments for decryption keys.

#ShrinkLocker #ransomware #targets #Microsoft #BitLocker #encryption #feature

Leave a Reply

Your email address will not be published. Required fields are marked *