ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

Tags

External References

• https://www.splunk.com/
• https://otx.alienvault.com/

Description

ShrinkLocker is a new ransomware strain that exploits Windows BitLocker to encrypt targeted data. Unlike typical ransomware, it abuses this legitimate feature to create a secure boot partition, locking users out unless a ransom is paid. The malware performs system checks, modifies registry entries, disables RDP, enforces smart card authentication, and alters BitLocker settings. It shrinks disk partitions, formats new ones, and reconfigures boot files. ShrinkLocker generates a random encryption key using system parameters and exfiltrates data to a C2 server. It also attempts to erase traces by deleting logs, firewall rules, and scheduled tasks. This sophisticated approach complicates decryption efforts and system recovery.

Date