Newly discovered ransomware uses BitLocker to encrypt victim data

Previously unknown ransomware called ShrinkLocker encrypts victims’ data using the BitLocker functionality built into the Windows operating system.

BitLocker is a full-featured volume encryptor that debuted in 2007 with the release of Windows Vista. Users use it to encrypt entire hard drives to prevent users from reading or modifying data if the disk is physically accessed. Since the rollout of Windows 10, BitLocker has used the 128-bit and 256-bit XTS-AES encryption algorithm by default, giving the feature additional protection against attacks that rely on manipulation of ciphertext to cause predictable changes to the plain text.

Recently, researchers at security firm Kaspersky discovered a threat actor using BitLocker to encrypt data on systems located in Mexico, Indonesia, and Jordan. Researchers named the new ransomware ShrinkLocker, both for its use of BitLocker and because it reduces the size of each unbootable partition by 100 MB and divides the newly unallocated space into new primary partitions of the same size.

“Our incident response and malware analysis prove that attackers are constantly refining their tactics to evade detection,” the researchers wrote Friday. “In this incident, we observed abuse of the native BitLocker functionality for unauthorized data encryption.”

ShrinkLocker is not the first malware to exploit BitLocker. In 2022, Microsoft reported that ransomware attackers with a connection to Iran were also using the tool to encrypt files. The same year, Russian agricultural company Miratorg was attacked by ransomware that used BitLocker to encrypt files residing in the system storage of infected devices.

Once installed on a device, ShrinkLocker runs a VisualBasic script that first calls the Windows Management Instrumentation class and Win32_OperatingSystem to obtain operating system information.

“For each object in the query results, the script checks whether the current domain is different from the target,” Kaspersky researchers wrote. “If so, the script ends automatically. After that, it checks if the operating system name contains “XP”, “2000”, “2003” or “Vista”, and if the Windows version matches any of them, the script ends automatically and is deleted.

A screenshot showing the initial execution conditions.
Enlarge / A screenshot showing the initial execution conditions.


The script then continues to use WMI to query information about the operating system. It then performs disk resizing operations, which may vary depending on the OS version detected. The ransomware performs these operations only on fixed local disks. The decision to leave network drives alone is likely motivated by a desire not to trigger network detection protections.

Eventually, ShrinkLocker disables protections designed to secure the BitLocker encryption key and removes them. It then allows the use of a numeric password, both as protection against anyone regaining control of BitLocker and as an encryptor of system data. The reason for removing default protectors is to disable key recovery features by the device owner. ShrinkLocker then generates a 64-character encryption key using random multiplication and replacement of:

  • A variable with the numbers 0 to 9;
  • The famous pangram “The fast brown fox jumps over the lazy dog”, in lower and upper case, which contains all the letters of the English alphabet;
  • Special characters.

After several additional steps, the data is encrypted. The next time the device restarts, the display will look like this:

Screenshot showing the BitLocker recovery screen.
Enlarge / Screenshot showing the BitLocker recovery screen.


Decrypting disks without the attacker-provided key is difficult, if not impossible in many cases. Although it is possible to recover some passphrases and fixed values ​​used to generate the keys, the script uses different variable values ​​on each infected device. These variable values ​​are not easy to recover.

There is no protection specific to ShrinkLocker to prevent successful attacks. Kaspersky advises the following:

  • Use robust, properly configured endpoint protection to detect threats that attempt to abuse BitLocker;
  • Implement managed detection and response (MDR) to proactively analyze threats;
  • If BitLocker is enabled, make sure it uses a strong password and that recovery keys are stored in a secure location;
  • Make sure users have minimal privileges. This prevents them from enabling encryption features or modifying registry keys themselves;
  • Enable network traffic logging and monitoring. Configure logging of GET and POST requests. In the event of an infection, requests to the attacker’s domain may contain passwords or keys;
  • Monitor events associated with VBS execution and PowerShell, then save logged scripts and commands to an external repository storing activity that can be deleted locally;
  • Take frequent backups, store them offline, and test them.

Friday’s report also includes metrics that organizations can use to determine if they have been targeted by ShrinkLocker.

Listing image by Getty Images

News Source :
Gn tech

Back to top button