Romanian cybersecurity firm Bitdefender has unveiled a free decryptor to assist victims in recovering data encrypted by the ShrinkLocker ransomware.
The decryptor is the outcome of an extensive examination of ShrinkLocker‘s internal mechanisms, enabling researchers to identify a “specific window of opportunity for data recovery immediately after the protectors are removed from BitLocker-encrypted drives.”
ShrinkLocker was initially identified in May 2024 by Kaspersky, which discovered the malware‘s use of Microsoft’s native BitLocker tool to encrypt files in extortion attacks targeting Mexico, Indonesia, and Jordan.
Bitdefender, which analyzed a ShrinkLocker incident involving an unnamed healthcare provider in the Middle East, reported that the attack likely originated from a machine operated by a contractor, underscoring the increasing abuse of trusted relationships by threat actors to compromise supply chains.
At the next phase, the attacker moved laterally to an Active Directory domain controller using legitimate credentials for a compromised account, followed by setting up two scheduled tasks to initiate the ransomware process.
The first task executed a Visual Basic Script (“Check.vbs”) to propagate the ransomware across all domain-linked machines, while the second task—scheduled two days later—activated the locally deployed ransomware (“Audit.vbs”).
The attack, according to Bitdefender, successfully encrypted systems running Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019. Notably, the ShrinkLocker variant employed is believed to be a modified version of the original.
Characterized as both straightforward and effective, the ransomware is notable for being coded in VBScript, a scripting language that Microsoft has stated will be deprecated starting in the latter half of 2024. Moreover, rather than implementing its own encryption method, the malware leverages BitLocker to achieve its objectives.
The script is programmed to collect information about system configuration and operating system details, subsequently checking for BitLocker installation on a Windows Server machine. If BitLocker is not found, it installs it using a PowerShell command, followed by a “forced reboot” using Win32Shutdown.
However, Bitdefender reported discovering a bug that triggers a “Privilege Not Held” error, resulting in the VBScript entering an infinite loop due to a failed reboot attempt.
“Even if the server is manually rebooted (for instance, by an unsuspecting administrator), the script lacks a mechanism to resume execution after the reboot, which means the attack could be halted or disrupted,” said Martin Zugec, technical solutions director at Bitdefender.
The ransomware is programmed to generate a random password based on system-specific data, including network traffic, system memory, and disk activity, using this password to encrypt the system’s drives.
This unique password is then sent to a server under the attacker’s control. After a restart, the user is prompted to enter the password to unlock the encrypted drive, with the BitLocker screen displaying the attacker’s contact email to facilitate payment for the password.
Furthermore, the script applies several Registry modifications to limit system access by disabling remote RDP connections and blocking local password-based logins. As part of its cleanup, it also disables Windows Firewall rules and deletes audit files.
Bitdefender also highlighted that the name ShrinkLocker is misleading, as the “shrink” feature is largely restricted to legacy Windows systems and does not actually reduce partition sizes on current operating systems.
“Using a combination of Group Policy Objects (GPOs) and scheduled tasks, the ransomware can encrypt multiple devices across a network in as little as 10 minutes per machine,” Zugec observed. “Consequently, it requires minimal effort to achieve complete domain compromise.”
“Proactive monitoring of specific Windows event logs enables organizations to detect and mitigate potential BitLocker attacks in their initial stages, such as when attackers test encryption capabilities.”
“By configuring BitLocker to store recovery information in Active Directory Domain Services (AD DS) and enforcing the policy ‘Do not enable BitLocker until recovery information is stored to AD DS for operating system drives,’ organizations can significantly reduce the risk of attacks leveraging BitLocker.”
Source: TheHackerNews
