ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

Sept. 17, 2024, 11:28 a.m.

Description

ShrinkLocker is a new ransomware strain that exploits Windows BitLocker to encrypt targeted data. Unlike typical ransomware, it abuses this legitimate feature to create a secure boot partition, locking users out unless a ransom is paid. The malware performs system checks, modifies registry entries, disables RDP, enforces smart card authentication, and alters BitLocker settings. It shrinks disk partitions, formats new ones, and reconfigures boot files. ShrinkLocker generates a random encryption key using system parameters and exfiltrates data to a C2 server. It also attempts to erase traces by deleting logs, firewall rules, and scheduled tasks. This sophisticated approach complicates decryption efforts and system recovery.

External References

https://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html
https://otx.alienvault.com/pulse/66e964ed320daf881546d686
Tags
ransomware
encryption
bitlocker
2024-09-17
shrinklocker
disk partitioning

Date

  • Created: Sept. 17, 2024, 11:15 a.m.
  • Published: Sept. 17, 2024, 11:15 a.m.
  • Modified: Sept. 17, 2024, 11:28 a.m.

Indicators

  • 32f31b35179bbff9ca9dd21b43bfc3e585baafedde523bd3e4869400ab0362cb
  • d4f2c5b21e96cfef0fc4e5acb6bde30113d1c8c7522f35d99102de886ed337b3
Download all indicators here!

Attack Patterns

  • ShrinkLocker
  • T1562.004
  • T1070.001
  • T1053.005
  • T1491
  • T1486
  • T1070
  • T1485
  • T1112
  • T1041