New Ransomware Variant ShrinkLocker Exploits BitLocker Encryption
/ 4 min read
Quick take - ShrinkLocker is a newly identified ransomware variant that utilizes VBScript and BitLocker encryption to compromise systems, prompting concerns about its straightforward execution and potential for widespread attacks, while highlighting the importance of proactive security measures and monitoring to mitigate risks.
Fast Facts
-
Emergence and Functionality: ShrinkLocker ransomware, discovered in May 2024, uniquely utilizes VBScript and modifies BitLocker configurations for encryption, checking if BitLocker is enabled before proceeding with its attack.
-
Attack Methodology: If BitLocker is not enabled, ShrinkLocker installs it, encrypts the system with a randomly generated password, and uploads this password to an attacker-controlled server, prompting users for payment to unlock their drives.
-
Rapid Network Compromise: The ransomware can quickly encrypt multiple systems within a network, potentially compromising an entire domain in about 10 minutes per device, highlighting its efficiency.
-
Security Concerns and Adaptability: Investigations reveal that ShrinkLocker may have been repurposed from benign code, and its adaptability allows various threat actors to modify it for simpler attacks, indicating a trend in ransomware tactics.
-
Mitigation Recommendations: Organizations are advised to monitor Windows event logs, configure BitLocker recovery information in Active Directory, implement multilayered security measures, and invest in robust detection and response solutions to mitigate risks associated with such ransomware attacks.
ShrinkLocker Ransomware: A New Threat Leveraging BitLocker Encryption
ShrinkLocker, a newly discovered ransomware variant, emerged in May 2024, drawing attention for its unique use of VBScript and BitLocker for encryption.
How ShrinkLocker Operates
Unlike many contemporary ransomware programs, ShrinkLocker employs a simpler encryption method by modifying BitLocker configurations. The ransomware first checks if BitLocker is enabled on the target system. If BitLocker is not enabled, ShrinkLocker installs it and re-encrypts the system with a randomly generated password. This generated password is then uploaded to a server controlled by the attacker.
Following a system reboot, users are prompted to enter the password to unlock their encrypted drives. The attacker’s contact email is displayed on the BitLocker screen, instructing victims on how to pay a ransom for the decryption key. ShrinkLocker has the capability to encrypt multiple systems within a network swiftly, potentially compromising an entire domain in approximately 10 minutes per device.
Investigations into ShrinkLocker have raised concerns about the potential for such attack vectors to become a trend, primarily due to their straightforward execution and effectiveness. Interestingly, the code for ShrinkLocker may have originally been written over a decade ago for benign purposes but has since been repurposed for malicious uses.
Decryption and Security Measures
A decryptor for ShrinkLocker has been developed and made publicly available, contributing to a collection of 32 decryption tools. The decryption process requires several steps, including entering BitLocker Recovery Mode and executing the decryptor from a command prompt. Experts warn that decryptor tools are reactive and do not prevent future attacks, highlighting the necessity of additional security measures.
An investigation into a ShrinkLocker attack on a healthcare company revealed that the attackers targeted a corporate entity. Initial infiltration likely occurred through unmanaged systems, which pose significant risks. The attack may have originated from a contractor’s machine, underscoring the threat posed by supply chain attacks. The attackers moved laterally within the network using valid credentials from a compromised account and created scheduled tasks on the Active Directory domain controller to deploy the ransomware across domain-joined machines.
Adaptability and Recommendations
The ShrinkLocker variant used in this attack was noted to have been modified by a different author, indicating adaptability among threat actors. The attack included a hardcoded check for the domain name, suggesting it was specifically targeted. Additionally, the use of “WMIC.exe” for registry changes marked a departure from previous versions of the malware. Observations from the attack revealed typos and redundant code in the scheduled tasks, suggesting that the attacker may not have had advanced technical skills.
ShrinkLocker is being adapted by various individual threat actors for simpler attacks and is not part of a ransomware-as-a-service (RaaS) model. Its reliance on VBScript and focus on legacy systems indicate an outdated approach to ransomware. The malware’s script initializes variables and employs Windows Management Instrumentation (WMI) to gather system information, checking for specific domain membership and validating the operating system before proceeding. If the script encounters an unsupported operating system, it deletes itself.
To mitigate the risks associated with such ransomware attacks, organizations are advised to proactively monitor Windows event logs to detect potential BitLocker attacks early. Recommendations for enhancing security include configuring BitLocker to store recovery information in Active Directory, implementing multilayered security measures, and ensuring that systems are regularly updated. Additionally, investing in robust detection and response solutions is critical for effectively managing security incidents. These findings and recommendations are drawn from extensive investigations into ransomware tactics and mitigation strategies.
Original Source: Read the Full Article Here
