November 13, 2024 at 09:24AM
Bitdefender has released a decryptor for the ShrinkLocker ransomware, which exploits Windows BitLocker to encrypt files. Despite its low sophistication, it has caused significant damage in attacks on organizations, including healthcare. The decryptor allows victims to recover files when used promptly, targeting specific configurations of BitLocker protection.
### Meeting Takeaways
1. **Release of Decryptor**: Bitdefender has launched a free decryptor for the ShrinkLocker ransomware, which encrypts files using Windows BitLocker.
2. **Background on ShrinkLocker**:
– Discovered in May 2024 by Kaspersky, ShrinkLocker is less sophisticated than other ransomware but can still be damaging.
– It has been created from outdated code, using VBScript, and demonstrates low-skilled operational tactics (e.g., redundant code, typos, and logs left behind).
3. **Significant Attack Example**: A notable attack on a healthcare organization resulted in the encryption of multiple systems (Windows 10, Windows 11, and Windows Server) and caused a potential impact on patient care due to access loss.
4. **Ransomware Mechanism**:
– ShrinkLocker uses Windows’ built-in BitLocker for encryption with a randomly generated password, complicating recovery.
– It utilizes WMI queries to check for BitLocker availability, disables default protections, and modifies Group Policy settings to propagate within networks.
5. **Decryption Process**:
– The decryptor works effectively immediately after the attack, taking advantage of a specific recovery window.
– Users need to boot into the BitLocker recovery screen and access the command prompt to use the decryptor.
– Only compatible with Windows 10, Windows 11, and recent Windows Server versions.
6. **Operational Notes**:
– Decryption timing can vary based on system hardware and encryption complexity.
– The decryptor disables smart card-based authentication once the drive is unlocked.
– It will not work for BitLocker passwords created by alternative methods.
7. **Call to Action**: ShrinkLocker victims are encouraged to download and use the decryptor as soon as possible for the best chances of data recovery.