ShrinkLocker Malware: Abusing BitLocker to Lock Your Data
Sept. 17, 2024, 11:28 a.m.
Tags
External References
Description
ShrinkLocker is a new ransomware strain that exploits Windows BitLocker to encrypt targeted data. Unlike typical ransomware, it abuses this legitimate feature to create a secure boot partition, locking users out unless a ransom is paid. The malware performs system checks, modifies registry entries, disables RDP, enforces smart card authentication, and alters BitLocker settings. It shrinks disk partitions, formats new ones, and reconfigures boot files. ShrinkLocker generates a random encryption key using system parameters and exfiltrates data to a C2 server. It also attempts to erase traces by deleting logs, firewall rules, and scheduled tasks. This sophisticated approach complicates decryption efforts and system recovery.
Date
Published: Sept. 17, 2024, 11:15 a.m.
Created: Sept. 17, 2024, 11:15 a.m.
Modified: Sept. 17, 2024, 11:28 a.m.
Indicators
32f31b35179bbff9ca9dd21b43bfc3e585baafedde523bd3e4869400ab0362cb
d4f2c5b21e96cfef0fc4e5acb6bde30113d1c8c7522f35d99102de886ed337b3
Attack Patterns
ShrinkLocker
T1562.004
T1070.001
T1053.005
T1491
T1486
T1070
T1485
T1112
T1041