New ShrinkLocker Ransomware Weaponizes BitLocker to Target Corporate Systems

by | May 27, 2024 | News

ShrinkLocker

Post Views: 630




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

New ShrinkLocker Ransomware Exploits BitLocker to Lock Down Corporate Systems

A new ransomware strain called ShrinkLocker has emerged, employing sophisticated techniques to encrypt corporate systems using Windows BitLocker. The malware, which targets sectors including government, vaccine, and manufacturing, creates new boot partitions by shrinking available non-boot partitions to execute its attack.

How ShrinkLocker Operates

ShrinkLocker takes its name from its method of creating boot volumes by shrinking existing non-boot partitions. This approach, while not entirely new, has been used to devastating effect in recent attacks. For instance, a hospital in Belgium saw 100TB of data on 40 servers encrypted using BitLocker, and a Moscow-based meat producer experienced similar disruptions.

Unique Features of ShrinkLocker

Unlike previous ransomware strains, ShrinkLocker is written in Visual Basic Scripting (VBScript), a language nearing deprecation but still effective for such malicious activities. The ransomware starts by detecting the Windows version on the target machine using Windows Management Instrumentation (WMI). If the operating system is newer than Vista and matches specific criteria, the attack proceeds; otherwise, the malware deletes itself.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Partition Manipulation and Boot Volume Creation

ShrinkLocker uses the diskpart utility to shrink non-boot partitions by 100MB, then creates new primary volumes in the unallocated space. These new volumes are used to reinstall boot files via the BCDEdit command-line tool, effectively setting up the ransomware’s control.

ShrinkLocker code for resizing partitionsShrinkLocker creating 100MB partitions
source: Kaspersky

ShrinkLocker code for re-installing boot filesShrinkLocker re-installs boot files on new partitions
source: Kaspersky

Disabling Security Features

To ensure its encryption process is unhindered, ShrinkLocker modifies several registry entries:

  • fDenyTSConnections = 1: Disables Remote Desktop connections
  • scforceoption = 1: Enforces smart card authentication
  • UseAdvancedStartup = 1: Requires BitLocker PIN for pre-boot authentication
  • EnableBDEWithNoTPM = 1: Allows BitLocker encryption without a TPM chip
  • UseTPM = 2: allows the use of TPM if available
  • UseTPMPIN = 2: allows the use of a startup PIN with TPM if available
  • UseTPMKey = 2: allows the use of a startup key with TPM if available
  • UseTPMKeyPIN = 2: allows the use of a startup key and PIN with TPM if available
  • EnableNonTPM = 1: allows BitLocker without a compatible TPM chip, requires a password or startup key on a USB flash drive
  • UsePartialEncryptionKey = 2: requires the use of a startup key with TPM
  • UsePIN = 2: requires the use of a startup PIN with TPM

Lack of Traditional Ransom Note

Interestingly, ShrinkLocker does not leave a traditional ransom note. Instead, it provides contact emails (onboardingbinder[at]proton[dot]me, conspiracyid9[at]protonmail[dot]com) as labels on the new boot partitions. This information can be easily missed unless the system is booted in a recovery environment.

ShrinkLocker email contact used for boot volume nameShrinkLocker email contact used for boot volume name
source: Kaspersky

Deleting BitLocker Protectors

After encrypting the drives, ShrinkLocker deletes the BitLocker protectors, which include TPM, PIN, startup key, password, recovery password, and recovery key. This action prevents victims from recovering their encryption keys, which are sent to the attacker via the TryCloudflare tool.

ShrinkLocker leaves no recovery options after BitLocker encryptionShrinkLocker leaves no recovery options after BitLocker encryption
source: Kaspersky

Trending: Post-Exploitation Techniques: Maintaining Access, Escalating Privileges, Gathering Credentials, Covering Tracks




Trending: OSINT Tool: SiteDorks

Potential for Destruction Over Financial Gain

The absence of a visible ransom note suggests that ShrinkLocker’s primary goal may be destruction rather than financial extortion. Kaspersky has identified multiple variants of ShrinkLocker, indicating its use against various targets in Mexico, Indonesia, and Jordan, including a government entity and companies in the steel and vaccine manufacturing sectors.

Mitigation and Recommendations

To defend against ShrinkLocker and similar threats, organizations using BitLocker should:

  • Ensure secure storage of recovery keys and maintain regular, offline backups.
  • Implement properly configured Endpoint Protection Platforms (EPP) to detect BitLocker abuse.
  • Enable minimal user privileges and maintain robust logging and monitoring for network traffic and script execution.

Cristian Souza, an incident response specialist at Kaspersky Global Emergency Response Team, emphasizes the importance of these measures in mitigating the risk posed by ShrinkLocker and safeguarding critical data.

Trending: Critical SAML Exploit in GitHub Enterprise Server Fixed with Urgent Update

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This