BitLocker recovery screen
In a recent analysis, Kaspersky Lab’s experts have exposed a new ransomware threat named ShrinkLocker, which cleverly exploits Microsoft’s built-in BitLocker encryption tool to hold corporate data hostage. The ransomware, which has already targeted industrial, pharmaceutical, and government organizations, utilizes a sophisticated VBS script to hijack BitLocker, encrypting entire volumes and stealing the decryption keys.
Traditionally, BitLocker is a security feature designed to protect data from theft or exposure in cases of lost or stolen devices. However, Kaspersky’s investigation reveals that threat actors have ingeniously turned this protective feature into a tool for malicious encryption. By deploying an advanced VBS script, attackers are able to encrypt entire volumes and steal decryption keys, effectively holding critical data hostage.
ShrinkLocker ransomware has been detected in various regions, including Mexico, Indonesia, and Jordan. This global spread underscores the broad threat posed by this ransomware. The attackers’ methodology not only maximizes the damage but also complicates incident response efforts.
The attackers’ VBScript, discovered under the filename Disk.vbs, demonstrates a sophisticated approach. Stored in C:\ProgramData\Microsoft\Windows\Templates, the script converts strings to binary representations using an ADODB.Stream object. It employs Windows Management Instrumentation (WMI) to gather information about the operating system and checks for compatibility with various Windows versions, terminating if it detects an unsupported OS like Windows XP, 2000, 2003, or Vista.
The script’s primary function is to resize and partition local drives. It avoids network drives to minimize detection risk. For Windows Server 2008 or 2012, the script uses diskpart to shrink non-boot partitions and create new 100 MB primary partitions, which are then formatted and activated. It uses bcdboot to reinstall boot files on these new partitions, setting the stage for encryption.
Subsequent steps involve disabling Remote Desktop Protocol (RDP) connections, enforcing smart card authentication, and configuring BitLocker settings to allow encryption without a TPM chip. The script generates a complex 64-character encryption key and sends this, along with system information, to the attackers via an HTTP POST request, obfuscating the real destination by using CloudFlare’s legitimate domain.
Kaspersky experts recommend a multi-layered approach to defend against ShrinkLocker:
- Robust Endpoint Protection: Utilize a strong endpoint protection platform (EPP) that can detect and block the ransomware before it executes.
- Managed Detection and Response: Implement an MDR solution to proactively search for and respond to threats like ShrinkLocker.
- Secure BitLocker Implementation: If using BitLocker, ensure strong passwords and securely store recovery keys offline.
- Least Privilege Principle: Limit user privileges to prevent unauthorized encryption and registry changes.
- Network Monitoring: Monitor network traffic for suspicious activity, particularly GET and POST requests that may contain stolen data.
- Regular Backups: Frequently back up data and store copies offline to enable recovery in case of infection.
