Cybersecurity experts from Kaspersky have identified a new ransomware strain named ShrinkLocker that uses Microsoft BitLocker to encrypt corporate files and extort payments from victim organizations. The malware has been detected in Mexico, Indonesia, and Jordan, affecting steel and vaccine manufacturers and a government entity.
Technical Mechanisms and Detection
ShrinkLocker employs VBScript to interact with Windows Management Instrumentation, tailoring its attack for various versions of Microsoft operating systems, including Windows Server 2008. The malware performs disk resizing on fixed drives, modifies partitioning and boot setup, activates BitLocker, and encrypts the computer's storage. Kaspersky's report outlines detailed steps for detecting and blocking ShrinkLocker variants.
Attack Process and Impact
Upon gaining code execution on a victim's machine, ShrinkLocker is deployed. It changes partition labels to the extortionists' email, facilitating victim contact. The decryption key is sent to a server controlled by the attackers, after which ShrinkLocker deletes the key locally, erasing recovery options and system logs. The compromised system is then shut down, displaying a BitLocker screen stating, “There are no more BitLocker recovery options on your PC“.
Detailed Attack Methodology
ShrinkLocker leverages exported functions from the cryptography DLL ADVAPI32.dll, such as CryptAcquireContextA, CryptEncrypt, and CryptDecrypt, to ensure compatibility across various OS versions. The malware stores its VBScript at C:\ProgramData\Microsoft\Windows\Templates\ as Disk.vbs, which includes a function to convert strings to binary using an ADODB.Stream object. The script checks the operating system name for “xp,” “2000,” “2003,” or “vista” and terminates if any of these are detected.
The script performs disk resizing operations specifically on fixed drives (DriveType = 3) and avoids network drives to prevent detection. For Windows Server 2008 or 2012, the script uses diskpart to shrink non-boot partitions by 100 MB, create new primary partitions, format them, and reinstall boot files. The malware modifies registry entries to disable RDP connections, enforce smart card authentication, and configure BitLocker settings without a compatible TPM chip.
Encryption and Communication
ShrinkLocker generates a 64-character encryption key using a random combination of numbers, letters, and special characters, which is then converted to a secure string for BitLocker. The malware sends an HTTP POST request containing machine information and the generated password to the attacker's server, using the domain trycloudflare.com for obfuscation. The script clears Windows PowerShell and Microsoft-Windows-PowerShell/Operational logs, turns on the system firewall, and deletes all firewall rules.
Preventive Measures
Kaspersky advises organizations to limit user privileges to prevent enabling encryption features or modifying registry keys. For those using BitLocker, it is crucial to use strong passwords and securely store recovery keys. Monitoring VBScript and PowerShell execution events, logging critical system activity to an external repository, and frequently backing up systems and files offline are also recommended. Testing backups ensures they can be recovered in the event of a ransomware attack or other security incidents.