New ShrinkLocker ransomware uses BitLocker to encrypt your files


Cybersecurity researchers have uncovered a new ransomware strain that abuses Windows BitLocker to lock victims out of their devices.

As reported by BleepingComputer, Cybersecurity researchers dubbed the new ransomware ShrinkLocker because once it hits, it shrinks available non-boot partitions by 100 MB and creates new primary boot volumes of the same size. Then it uses BitLocker, a full disk encryption feature included with some versions of Microsoft Windows, to encrypt the files on the target endpoint.

A new ransomware strain called ShrinkLocker
A new ransomware strain called ShrinkLocker

It has so far been seen hitting government agencies, and firms in manufacturing and pharmaceuticals.

BitLocker – Maximum damage

For the uninitiated, BitLocker is a legitimate Windows feature, designed to protect data by providing encryption for entire volumes.

ShrinkLocker is not the first ransomware variant that uses BitLocker to encrypt the systems. BleepingComputer stressed that a hospital in Belgium was struck with a ransomware strain that used BitLocker to encrypt 100TB of data on 40 servers, and in 2022, a meat producer and distributor in Russia called Miratorg Holding, suffered a similar fate.

ShrinkLocker creating 100MB partitions
ShrinkLocker creating 100MB partitions

But ShrinkLocker also comes “with previously unreported features to maximize the damage of the attack,” Kaspersky warned. Among other things, the encryptor does not drop a ransom note, which is standard practice. Instead, it labels new boot partitions as email addresses, likely inviting the victims to try and communicate that way.

Furthermore, following the successful encryption, the ransomware will delete all BitLocker protectors, denying the victims any options to recover the BitLocker encryption key.

So far, the unnamed threat actors compromised systems belonging to steel and vaccine manufacturing organizations in Mexico, Indonesia, and Jordan.

How to protect your data?

Cybersecurity researchers recommend the following mitigation measures to prevent attackers:

PHUCBINH GROUP provides technology solutions
PHUCBINH GROUP provides technology solutions
  • Use robust, properly configured security software to detect threats that try to abuse BitLocker.
  • Limit user privileges to prevent unauthorized enabling of encryption features or modification of registry keys.
  • Enable network traffic logging and monitoring, capturing both GET and POST requests, as infected systems may transmit passwords or keys to attacker domains.
  • Saving logged scripts and commands to an external repository for activity retention despite local erasure.

PHUCBINH GROUP provides technology solutions: IT infrastructure upgrade, server & storage and network maintenance.

5/5 - (1 vote)