A recently emerged form of ransomware, known as ShrinkLocker, utilizes the BitLocker functionality inherent in the Windows operating system to encrypt victim data.

BitLocker serves as a comprehensive volume encryption tool that was introduced in 2007 alongside the launch of Windows Vista. Individuals employ it to cryptographically safeguard entire hard drives, thus thwarting any unauthorized access or tampering if an adversary gains physical access to the disk. With the introduction of Windows 10, BitLocker has defaulted to using the robust 128-bit and 256-bit XTS-AES encryption algorithm, providing an added layer of defense against attacks seeking to exploit ciphertext manipulation to predict changes in plaintext.

Recent findings from cybersecurity outfit Kaspersky revealed that threat actors have been leveraging BitLocker to encrypt data on systems located in Mexico, Indonesia, and Jordan. Given this, the security researchers christened this novel strain of ransomware “ShrinkLocker,” a moniker derived from its reliance on BitLocker and its habit of shrinking non-boot partitions by 100 MB before partitioning the newly freed space into fresh primary partitions of equal size.

In remarks made on Friday, the researchers asserted, “Our investigations into incidents and analyses of malicious software indicate that threat actors are continually refining their strategies to circumvent detection. In this particular occurrence, we noted the illicit use of the inherent BitLocker functionality for data encryption.”

ShrinkLocker is not the first instance of malware exploiting BitLocker. Back in 2022, Microsoft disclosed that ransomware assailants with affiliations to Iran had similarly employed the tool for file encryption. In the same year, the Russian agricultural entity Miratorg fell victim to a ransomware onslaught that harnessed BitLocker to lock down files stored in the system storage of plagued devices.

Upon infiltration of a system, ShrinkLocker executes a VisualBasic script that initiates interactions with the Windows Management Instrumentation and Win32_OperatingSystem class to harvest particulars about the operating system.

“The script cross-references each object in the query results with the current domain. If a disparity is identified, the script automatically ceases. Subsequently, it verifies if the OS name contains ‘xp,’ ‘2000,’ ‘2003,’ or ‘vista.’ Should a match be found, the script halts and erases itself,” stipulated the Kaspersky researchers.



Zoomed-in View / A depiction showcasing initial execution conditions.

Kaspersky

The script proceeds to leverage WMI for extracting OS-related data and then proceeds with disk resizing maneuvers, the specifics of which vary depending on the detected OS version. The ransomware confines these operations to only local, fixed drives, possibly to sidestep network security mechanisms.

Subsequently, ShrinkLocker neutralizes the safeguards intended to secure the BitLocker encryption key before deleting them altogether. It then institutes the use of a numerical password, serving as a barrier against unauthorized BitLocker control reversals and as an encryption mechanism for system data. The rationale behind nullifying the default protectors is to eliminate the potential for key recovery by the device owner. The ransomware later generates a 64-character encryption key through a process involving random multiplication and substitution of:

  • A combination of the numbers 0–9;
  • The well-known pangram “The quick brown fox jumps over the lazy dog,” encompassing lowercase and uppercase versions containing all English alphabet letters;
  • Diverse special characters.

Following additional procedural steps, data becomes encrypted. Upon the subsequent reboot, the screen appearance alters to reflect:


Visual of the BitLocker recovery interface.
Zoomed-in View / Visual of the BitLocker recovery interface.

Kaspersky

Deciphering drives without the supplied key presents a formidable challenge, often bordering on impossibility. While some passphrases and fixed values utilized in key generation may be recoverable, the script employs distinct and non-trivial variable values unique to each infected device, rendering recovery efforts arduous.

ShrinkLocker features no dedicated defenses aimed at thwarting successful incursions. Kaspersky advocates the following countermeasures:

  • Deploy resilient, finely-configured endpoint protection to thwart BitLocker exploitation attempts;
  • Implement Managed Detection and Response (MDR) solutions for active threat surveillance;
  • When BitLocker is activated, ensure robust password complexity and maintain secure storage of recovery keys;
  • Restrict users to minimal privileges to prevent independent activation of encryption features or alteration of registry entries;
  • Enable network traffic monitoring and logging, encompassing both GET and POST requests. In the aftermath of an incursion, requests directed toward the attacker’s domain may contain crucial passwords or keys;
  • Monitor VBS execution and PowerShell-related events, storing logs of executed scripts and commands in an external repository to safeguard activity records that local deletions may compromise;
  • Conduct periodic backups, store them offline, and verify their successful recovery.

The recent report also supplies indicators that entities can utilize to identify potential targeting by ShrinkLocker.

Image credits: Getty Images