A newly discovered ransomware called ShrinkLocker has been found to exploit the BitLocker feature in Windows operating systems to encrypt victim data. BitLocker, which was introduced in 2007 with Windows Vista, is a full-volume encryptor that allows users to encrypt entire hard drives to protect data from unauthorized access. Since the release of Windows 10, BitLocker has used the 128-bit and 256-bit XTS-AES encryption algorithm, making it more resistant to attacks that manipulate cipher text.
Security researchers from Kaspersky recently identified a threat actor using BitLocker to encrypt data on systems in Mexico, Indonesia, and Jordan. They named the ransomware ShrinkLocker because it not only uses BitLocker, but also shrinks the size of each non-boot partition and creates new partitions with the unallocated space. This tactic is likely used to evade detection and make recovery more difficult.
ShrinkLocker is not the first ransomware to exploit BitLocker. In 2022, Microsoft reported that ransomware attackers associated with Iran used BitLocker to encrypt files. There have also been instances where BitLocker was used by attackers to encrypt files stored in the system storage of infected devices.
Once ShrinkLocker is installed on a device, it runs a VisualBasic script that gathers information about the operating system using Windows Management Instrumentation (WMI) and the Win32_OperatingSystem class. The script checks if the current domain is different from the target and, if so, finishes automatically. It also checks if the operating system name contains certain keywords and if the Windows version matches any of them. If the conditions are met, the script finishes and deletes itself.
The script then uses WMI to perform disk resizing operations, which vary depending on the detected OS version. These operations are only performed on local, fixed drives and not network drives to avoid triggering network detection protections. Eventually, ShrinkLocker disables protections for the BitLocker encryption key, deletes them, and enables a numerical password as an additional layer of protection. The script then generates a unique 64-character encryption key using random multiplication and replacement of variables, including numbers, the pangram “The quick brown fox jumps over the lazy dog,” and special characters.
After several steps, the victim’s data is encrypted, and the next time the device reboots, the BitLocker recovery screen is displayed. Decrypting the drives without the attacker’s key is challenging, as the script uses unique variable values that are difficult to recover.
To protect against ShrinkLocker and other threats that exploit BitLocker, Kaspersky recommends the following measures:
1. Use robust and properly configured endpoint protection to detect and prevent BitLocker abuse.
2. Implement Managed Detection and Response (MDR) to proactively scan for threats on endpoints.
3. Ensure that BitLocker is enabled with a strong password and store the recovery keys securely.
4. Limit user privileges to prevent unauthorized encryption or changes to registry keys.
5. Enable network traffic logging and monitoring, including logging GET and POST requests. These requests may contain passwords or keys in case of an infection.
6. Monitor for events related to Visual Basic Script (VBS) execution and PowerShell, and store the logged scripts and commands in an external repository for analysis.
7. Regularly backup data, store backups offline, and regularly test the restoration process.
In conclusion, the discovery of ShrinkLocker highlights the evolving tactics used by threat actors to evade detection and encrypt victim data. By leveraging BitLocker, attackers can increase their chances of success and make recovery more challenging for the victims. It is crucial for organizations to implement robust security measures and best practices to protect against such threats and ensure the safety of their data.
Source link