New ShrinkLocker ransomware uses BitLocker to encrypt your files

New ShrinkLocker ransomware uses BitLocker to encrypt your files

May 24, 2024 at 11:01AM

ShrinkLocker is a new ransomware strain that utilizes Windows BitLocker to encrypt systems by creating new boot volumes. It employs previously unreported features to maximize the attack’s damage and targets specific Windows versions. The malware modifies registry entries and denies recovery options, indicating a destructive intent rather than financial gain. Kaspersky advises on securing recovery keys and maintaining offline backups.

After examining the meeting notes, the key takeaways are:

1. ShrinkLocker is a new ransomware strain that creates a new boot partition to encrypt corporate systems using Windows BitLocker.
2. It targets organizations in the government, vaccine, manufacturing, and steel sectors.
3. ShrinkLocker is written in Visual Basic Scripting and has previously unreported capabilities to maximize the damage of the attack.
4. It modifies registry entries to disable remote desktop connections or enable BitLocker encryption on hosts without a Trusted Platform Module (TPM).
5. The threat actor behind ShrinkLocker provides a contact email address as the label of the new boot partitions, and the ransom note is not dropped for easy visibility.
6. ShrinkLocker deletes BitLocker protectors to deny victims any options to recover the encryption key.
7. The malware delivers the encryption key using a legitimate service for developers called TryCloudflare.
8. After the encryption process, the malware forces the system to shut down, leaving the user with the drives locked and no recovery options.
9. The attacks seem to be meant for destruction rather than financial gain, as the ransom note is not easily seen and the email is simply left as a drive label.

Organizations using BitLocker are advised to ensure secure storage of recovery keys, maintain regular offline backups, and use a properly configured Endpoint Protection Platform solution to detect BitLocker abuse attempts and enable logging and monitoring for network traffic and script execution.

If you need further details or have any specific questions, feel free to ask.

Full Article