Researchers from Kaspersky have uncovered a new ransomware strain named ShrinkLocker, exploiting Microsoft’s built-in BitLocker encryption tool.
The ransomware, which has already targeted industrial, pharmaceutical, and government organizations, utilizes a sophisticated VBS script to hijack BitLocker, encrypting entire volumes and stealing the decryption keys.
Threat actors turned this Microsoft’s protective feature into a tool for malicious encryption. By deploying an advanced VBS script, attackers are able to encrypt entire volumes and steal decryption keys, effectively holding critical data hostage.
ShrinkLocker ransomware has been detected in various regions, including Mexico, Indonesia, and Jordan. The attackers’ TTP not only maximizes the damage but also complicates incident response efforts.
The attackers’ VBScript, discovered with the filename Disk.vbs, Stored in the location C:\ProgramData\Microsoft\Windows\Templates, the script converts strings to binary representations using an ADODB.Stream object. It employs WMI to gather information about the operating system and checks for compatibility with various Windows versions, terminating if it detects an unsupported OS like Windows XP, 2000, 2003, or Vista.
The script’s primary function is to resize and partition local drives. It avoids network drives to minimize detection risk. For Windows Server 2008 or 2012, the script uses diskpart to shrink non-boot partitions and create new 100 MB primary partitions, which are then formatted and activated. It uses bcdboot to reinstall boot files on these new partitions, setting the stage for encryption.
Subsequent steps involve disabling RDP connections, enforcing smart card authentication, and configuring BitLocker settings to allow encryption without a TPM chip. The script generates a complex 64-character encryption key and sends this, along with system information, to the attackers via an HTTP POST request, obfuscating the real destination by using CloudFlare’s legitimate domain.
It is recommend a multi-layered approach to defend against ShrinkLocker:
- Robust Endpoint Protection
- Managed Detection and Response
- Secure BitLocker implementation
- Stringent Least Privilege Principle
- Network Monitoring
- Regular Backups
Nice information