In a disturbing development, cybersecurity researchers at Kaspersky have uncovered a new ransomware strain that leverages Microsoft's built-in BitLocker encryption tool against users in a devious attack. Dubbed "ShrinkLocker" by Kaspersky.
This malware employs clever techniques to encrypt full disk volumes and then hold victims' files for ransom. The findings come from Kaspersky's incident response team, which discovered the threat while investigating a recent attack.
Their analysis reveals ShrinkLocker to be an advanced Visual Basic script that takes full advantage of BitLocker, a Windows built-in feature to protect against data theft on lost or stolen devices.
"Attackers are constantly finding creative ways to bypass security protections," read the blog post.
In this case, hackers are using the native BitLocker feature to encrypt entire volumes and stealing the decryption key. The original purpose of BitLocker is to address the risks of data theft or exposure from lost, stolen, or improperly decommissioned devices. Nonetheless, threat actors have found out that this mechanism can be repurposed for malicious ends to great effect -it's quite clever but also deeply concerning.
ShrinkLocker works by first checking if the targeted system meets certain criteria like running a supported Windows version. It then uses built-in utilities like diskpart
and bcdboot
to resize and encrypt all non-system disk partitions with BitLocker. Crucially, it deletes the default BitLocker protectors so victims cannot regain access through normal recovery methods.
Instead, a lengthy randomly generated encryption password is created, which the malware sends back to the attackers along with system details like the computer name and IP address. This allows the cybercriminals to track each infected victim for ransom demands.
This tactic is incredible as it covers its tracks by clearing event logs, disabling RDP, firewalls and more. After forcing an encryption reboot, the victim sees a standard BitLocker screen with no recovery options.
While Kaspersky was able to obtain some artifacts like secure encryption strings, the randomized nature of the passwords makes decryption extremely difficult without involving the attacker group. So far the actors behind ShrinkLocker remain unknown.
The researchers assess the threat actors as highly skilled, exhibiting deep knowledge of VBScript, Windows internals and various utilities. Their report outlines over a dozen tactics, techniques and procedures used, highlighting ShrinkLocker's technical sophistication.
To guard against such threats, Kaspersky urges companies to use robust endpoint protection, monitor PowerShell activity, log all web traffic and ensure BitLocker recovery keys are securely backed up. End users should also avoid opening untrusted scripts or granting admin privileges.
"By abusing legitimate OS features, ShrinkLocker achieves a new level of stealth and impact."