Blog

You are currently viewing The newly discovered ransomware uses BitLocker to encrypt the victim’s data

The newly discovered ransomware uses BitLocker to encrypt the victim’s data

A previously unknown piece of ransomware called ShrinkLocker encrypts the victim’s data using the BitLocker feature built into the Windows operating system.

BitLocker is a full encryption device that debuted in 2007 with the release of Windows Vista. Users use it to encrypt entire hard drives to prevent people from reading or changing data in case they gain physical access to the drive. Starting with the Windows 10 implementation, BitLocker uses the 128-bit and 256-bit XTS-AES encryption algorithms by default, giving the feature additional protection against attacks that rely on manipulating ciphertext to cause predictable plaintext changes.

Recently, researchers from security firm Kaspersky discovered a threat using BitLocker to encrypt data on systems located in Mexico, Indonesia and Jordan. The researchers named the new ransomware ShrinkLocker, both because of its use of BitLocker and because it shrinks the size of each non-bootable partition by 100 MB and splits the recently unallocated space into new primary partitions of the same size.

“Our incident response and malware analysis are evidence that attackers are constantly refining their tactics to avoid detection,” the researchers wrote on Friday. “In this incident, we observed abuse of the native BitLocker feature for unauthorized data encryption.”

ShrinkLocker is not the first malware to use BitLocker. In 2022, Microsoft reported that ransomware attackers with ties to Iran also used the file encryption tool. That same year, Russian agribusiness Miratorg was attacked by ransomware that used BitLocker to encrypt files located in the system storage of infected devices.

Once installed on a device, ShrinkLocker runs a VisualBasic script that first calls Windows Management Instrumentation and the Win32_OperatingSystem class to obtain information about the operating system.

“For each object in the query results, the script checks whether the current domain is different from the target,” the Kaspersky researchers wrote. “If so, the script ends automatically. It then checks if the operating system name contains ‘xp’, ‘2000’, ‘2003’ or ‘vista’ and if the Windows version matches any of these, the script ends automatically and deletes itself.”

Zoom in / Screenshot showing initial run conditions.

Kaspersky

The script then proceeds to use WMI to query operating system information. It continues to perform disk resizing operations, which may vary depending on the version of the operating system detected. The ransomware only performs these operations on local, fixed drives. The decision to leave network devices alone is likely motivated by a desire not to trigger network discovery defenses.

Ultimately, ShrinkLocker disables the protections designed to secure the BitLocker encryption key and proceeds to delete them. It then allows the use of a digital password, both as a defense against someone else regaining control of BitLocker and as an encryptor for system data. The reason for wiping the default protectors is to disable key recovery features by the device owner. ShrinkLocker then proceeds to generate a 64-character encryption key using random multiplication and substitution of:

  • A variable with the numbers 0–9;
  • The famous pangram “The quick brown fox jumps over the lazy dog” in lowercase and uppercase, which contains every letter of the English alphabet;
  • Special symbols.

After a few additional steps, the data is encrypted. The next time the device reboots, the display looks like this:

A screenshot showing the BitLocker recovery screen.
Zoom in / A screenshot showing the BitLocker recovery screen.

Kaspersky

Decrypting disks without the attacker’s supplied key is difficult and possibly impossible in many cases. Although it is possible to recover some of the passwords and fixed values ​​used to generate the keys, the script uses variable values ​​that are different on each infected device. These variable values ​​are not easy to recover.

There are no ShrinkLocker-specific defenses to prevent successful attacks. Kaspersky advises the following:

  • Use robust, properly configured endpoint protection to detect threats that attempt to abuse BitLocker;
  • Implement Managed Detection and Response (MDR) to proactively scan for threats;
  • If BitLocker is enabled, make sure it uses a strong password and that recovery keys are stored in a secure location;
  • Make sure users only have minimum privileges. This prevents them from enabling encryption features or changing registry keys themselves;
  • Enable network traffic logging and monitoring. Configure logging of both GET and POST requests. In case of infection, requests made to the attacker’s domain may contain passwords or keys;
  • Monitor for events related to VBS and PowerShell execution, then record logged scripts and commands to external storage storing activity that can be deleted locally;
  • Make backups often, store them offline and test them.

Friday’s report also includes indicators that organizations can use to determine if they have been attacked by ShrinkLocker.

List image by Getty Images

Tags: , , , , , ,

Leave a Reply