Janice R. Andrews
Unsettlingly, a new ransomware outbreak called “ShrinkLocker” has repurposed BitLocker as a weapon. This new assault technique turns the well-known BitLocker encryption mechanism into a far more potent and widespread weapon. The fact that ShrinkLocker has already been used against manufacturing and governmental organizations indicates a major advancement in ransomware capabilities.
Kaspersky Discovers the Range of ShrinkLocker
Leading cybersecurity company Kaspersky, known for its anti-virus software and innovative malware research, has discovered ShrinkLocker in a number of nations, including Mexico, Indonesia, and Jordan. The assaults have only thus far focused on corporate PCs. While BitLocker-based assaults are not new, ShrinkLocker has distinctive features that make it stand out.
The Workings of ShrinkLocker
ShrinkLocker uses Windows programming language VBScript, which is outdated and will be deprecated with Windows 11 24H2, to identify the host computer’s operating system. The malicious malware initiates a customized BitLocker setup procedure after identifying the operating system. On any PC running Windows Vista or Windows Server 2008 or later, this activates BitLocker. If the operating system is too old, ShrinkLocker disappears by itself.
The next action taken by the virus is to reduce the size of every disk partition by 100MB in order to make room for a new boot partition; thus the term “ShrinkLocker.” After that, it removes every protector holding the encryption key, making it impossible for the victim to recover. A fresh, randomly generated 64-character encryption key is created and sent to the attacker, along with other relevant details on the hacked system. After deleting activity records and forcing a system shutdown, the script locks and encrypts every device on the computer using the newly formed boot partition. As a result, the computer and its contents are totally unreachable.
The Disastrous Effect
The clever assault by ShrinkLocker effectively bricks victims’ hard drives. Because the attack’s designer is so knowledgeable about hidden Windows internals and tools, the virus is incredibly covert. The source of the attack and the final destination of the stolen data could not be determined by Kaspersky’s research. On one compromised PC, however, a ShrinkLocker script that was left behind did not have BitLocker configured.
In contrast to other ransomware assaults, ShrinkLocker makes it difficult to recover the ransom money. It takes more research than just editing the BitLocker recovery screen to find the new boot partition, which is renamed to the attacker’s email address. This intricacy raises the possibility that disruption and data destruction, rather than monetary gain, may be ShrinkLocker’s main objectives.
Strategies for Mitigation and Prevention
IT specialists may take the following actions to lessen the threats that ShrinkLocker and related malware pose:
- Regular Backups: To guarantee recovery in the event of an attack, regularly backup important data.
- User Privilege Management: To avoid unwanted modifications, limit users’ access to BitLocker registry entries and settings.
- Advanced Security Solutions: To monitor and safeguard your network, use high-end Endpoint Protection Platforms (EPP) or Managed Detection and Response (MDR) systems.
Kaspersky naturally suggests its own solutions for strong protection in its technical analysis on ShrinkLocker.
The Wider Consequences
An extensive technical study of the script and the ShrinkLocker attack is available from Kaspersky. Although BitLocker can only be found on “Pro” or corporate editions of Windows at the moment, Microsoft intends to make BitLocker available to all users beginning with Windows 11 24H2. BitLocker will now be activated immediately upon reinstallation thanks to this upgrade, which may make BitLocker-based attacks more accessible to specific PCs.
The weaponization of BitLocker by ShrinkLocker emphasizes the necessity of increased awareness and preventative security measures as ransomware assaults continue to develop. It is imperative for both individuals and enterprises to be well-informed and equipped to tackle complex threats and safeguard data in the ever-more-perilous digital realm.
