‘ShrinkLocker’ ransomware uses BitLocker against you — encryption-craving malware has already been used against governments

[Pelican Press 0]

‘ShrinkLocker’ ransomware uses BitLocker against you — encryption-craving malware has already been used against governments

BitLocker has been weaponized again by the new “ShrinkLocker” ransomware *******. The ******* uses novel methods to make a classic BitLocker ******* more pervasive and dangerous than ever before, and it has already been used against governments and manufacturing industries. 

Kaspersky, known for its Kaspersky Anti-Virus and class-leading malware research, identified the new strain in Mexico, Indonesia, and Jordan, so far only against enterprise PCs. Attacks using BitLocker, an optional Windows feature that encrypts PC hard drives commonly used in the enterprise world, are not new. But ShrinkLocker is unique thanks to new innovations.

ShrinkLocker uses VBScript, an old Windows programming script set to deprecate starting with Windows 11 24H2, to identify the specific Windows OS used by the host PC. A malicious script then runs through BitLocker setup specific to the operating system, and enables BitLocker accordingly on any PC running Vista or Windows Server 2008 or newer. If the OS is too old, ShrinkLocker deletes itself without a trace. 

ShrinkLocker then shrinks all drive partitions by 100MB and uses the stolen space to create a new boot partition, hence “Shrink” Locker. ShrinkLocker also deletes all protectors used to secure the encryption key, making it unrecoverable by the victim later. The script creates a new random 64-character encryption key, sends it and other information about the computer to the attacker, deletes the logs that stored ShrinkLocker’s activity, and finally forces a shut-down of the PC, using the newly created boot partition to fully lock and encrypt all drives on the PC. The PC and every byte of data on it is now fully unusable.

The ******* leaves its targets floundering, with bricks for hard drives. The creator of the ShrinkLocker ******* must have had an “extensive understanding” of a variety of obscure Windows internals and utilities to craft the *******, which left almost no trace. Kaspersky’s experts could not find any way to identify the source of the ******* or the source where information was sent, but they did find the ShrinkLocker script left behind on the single drive of one affected PC that did not have BitLocker configured. 

For a ransomware *******, the attacker also did not make it easy to find where to send the ransom in question. The script changes the name of the new boot partitions to the attacker’s email, but this requires more digging to spot than simply editing the BitLocker recovery screen, an easy enough task for a hacker of this caliber. This makes it likely that the ******* is focused more on disruption and data destruction than ransom. 

IT professionals will already be familiar with mitigation steps for these attacks: Make frequent backups, restrict users’ editing privileges so they cannot edit their BitLocker settings or registries, and seek out high-level EPP or MDR solutions to track and secure your network. Kaspersky obviously suggests their own products for this in their technical report on the *******. 

Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.

For the full details of the ******* and the ShrinkLocker script, Kaspersky has

This is the hidden content, please

• Sign In
• or
• Sign Up

. While BitLocker is currently only a feature of “Pro” or enterprise Windows releases,

This is the hidden content, please

• Sign In
• or
• Sign Up

will enable BitLocker for all users starting with Windows 11 24H2, and automatically activate it on reinstallation, so beware of BitLocker attacks making a move to the individual PC world. 

This is the hidden content, please

• Sign In
• or
• Sign Up

#ShrinkLocker #ransomware #BitLocker #encryptioncraving #malware #governments

This is the hidden content, please

• Sign In
• or
• Sign Up

For verified travel tips and real support, visit: https://hopzone.eu/