Romanian cybersecurity firm Bitdefender has unveiled a free decryptor tool designed to assist victims of the ShrinkLocker ransomware, enabling them to recover data encrypted by this malware.
The decryptor is the outcome of an extensive analysis of ShrinkLocker’s mechanisms, which allowed Bitdefender researchers to discover a “brief recovery window available right after the removal of protectors from BitLocker-encrypted disks,” opening up an opportunity for data retrieval.
First detected by Kaspersky in May 2024, ShrinkLocker is a unique strain of ransomware that leverages Microsoft’s native BitLocker tool to encrypt files as part of its extortion tactics. This malware has targeted entities in Mexico, Indonesia, and Jordan, and employs BitLocker in a way that adds complexity to the attack’s impact.
Bitdefender’s findings stem from an investigation into a ShrinkLocker attack on an unidentified healthcare organization in the Middle East. The initial infection reportedly originated from a contractor’s machine, underscoring the ongoing trend of attackers exploiting trusted relationships to infiltrate supply chains.
Once inside, the attackers laterally advanced to an Active Directory domain controller by using legitimate credentials of a compromised account, setting up two scheduled tasks to activate the ransomware payload.
In this multi-phase attack, the first scheduled task executed a VBScript named “Check.vbs,” distributing the ransomware across all domain-connected machines. The second task, scheduled to activate two days later, triggered the locally installed ransomware via “Audit.vbs.”
This ransomware successfully encrypted systems running Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019. Notably, the ShrinkLocker variant in question is a modified adaptation of the initial malware strain.
ShrinkLocker stands out due to its simplicity and effectiveness. Written in VBScript, a scripting language that Microsoft is set to phase out by late 2024, this ransomware does not deploy its own encryption algorithm. Instead, it manipulates BitLocker’s native functions to encrypt files, saving attackers the effort of custom encryption development.
The VBScript assesses system configurations and operating system details, and if BitLocker is not installed on a Windows Server, it attempts to install it through PowerShell, followed by a “forced reboot” using Win32Shutdown. However, Bitdefender’s analysis identified a bug that causes the script to fail with a “Privilege Not Held” error, trapping the script in a reboot loop when the forced reboot fails.
Martin Zugec, Bitdefender’s Technical Solutions Director, explained that, “If the server is rebooted manually, such as by an unsuspecting administrator, the script doesn’t resume its activity post-reboot, creating an opportunity to halt the attack mid-process.”
ShrinkLocker creates a unique password derived from system-specific data, including network traffic, memory status, and disk usage, to encrypt the system’s drives. This password is then transmitted to an attacker-controlled server, and after the system reboots, users are prompted to enter the password to unlock their drives. The BitLocker screen displays the threat actor’s contact email to facilitate ransom negotiations for the password.
Further compounding the system lockout, the ransomware script alters Windows Registry settings, disabling RDP connections, blocking local password logins, deactivating Windows Firewall, and deleting audit logs as part of its concealment efforts.
Bitdefender also noted that ShrinkLocker’s name may mislead, as the “shrink” functionality is limited to legacy Windows versions and does not shrink partitions on current operating systems.
Using a combination of Group Policy Objects (GPOs) and scheduled tasks, ShrinkLocker can encrypt multiple devices on a network in less than 10 minutes per machine, achieving a complete domain compromise with minimal exertion.
“Proactively monitoring specific Windows event logs can help organizations detect and mitigate potential BitLocker-driven attacks in their initial phases, including instances where attackers are testing their encryption functions,” Zugec advised.
To bolster defenses against BitLocker-based ransomware, Bitdefender recommends configuring BitLocker to store recovery keys in Active Directory Domain Services (AD DS). Enforcing policies like “Do not enable BitLocker until recovery information is stored to AD DS for operating system drives” can significantly lower the risk of successful ransomware attacks leveraging BitLocker.