Today > | 4 High | 23 Medium vulnerabilities   -   You can now download lists of IOCs here!

ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

Sept. 17, 2024, 11:28 a.m.

Description

ShrinkLocker is a new ransomware strain that exploits Windows BitLocker to encrypt targeted data. Unlike typical ransomware, it abuses this legitimate feature to create a secure boot partition, locking users out unless a ransom is paid. The malware performs system checks, modifies registry entries, disables RDP, enforces smart card authentication, and alters BitLocker settings. It shrinks disk partitions, formats new ones, and reconfigures boot files. ShrinkLocker generates a random encryption key using system parameters and exfiltrates data to a C2 server. It also attempts to erase traces by deleting logs, firewall rules, and scheduled tasks. This sophisticated approach complicates decryption efforts and system recovery.

Date

Published: Sept. 17, 2024, 11:15 a.m.

Created: Sept. 17, 2024, 11:15 a.m.

Modified: Sept. 17, 2024, 11:28 a.m.

Indicators

32f31b35179bbff9ca9dd21b43bfc3e585baafedde523bd3e4869400ab0362cb

d4f2c5b21e96cfef0fc4e5acb6bde30113d1c8c7522f35d99102de886ed337b3

Attack Patterns

ShrinkLocker

T1562.004

T1070.001

T1053.005

T1491

T1486

T1070

T1485

T1112

T1041