Threat update
ShrinkLocker is a recent ransomware strain that leverages a legitimate Windows encryption feature, BitLocker, to lock victims out of their devices. It shrinks the partition, increasing the impact of the attack.
Technical Detail and Additional Info
What is the threat?
ShrinkLocker uses VBScript to identify the operating system (OS) and manipulate disks. It shrinks available non-boot partitions by 100 MB and creates new primary boot volumes of the same size. It then leverages BitLocker to encrypt the entire target drive. Then it deletes the BitLocker recovery keys and disables remote access. It also self-deletes after execution. When the user reboots the device, a BitLocker recovery screen appears, yet no recovery options are available. ShrinkLocker does not drop a ransom note. Instead, it labels new boot partitions as email addresses, which will entice victims to try to communicate via email. However, the new partition labels are only viewable by an administrator in a recovery environment or with diagnostic tools.
Why is it noteworthy?
The fact that the attackers appear to have intentionally made it difficult to contact them suggests their motives are driven by disruption and destruction rather than financial gain. Shrinking the partition is a unique tactic that maximizes the impact of the attack. Though no specific group is known to be the source of the attack, researchers note that the attackers would be a skilled group with an excellent understanding of Windows internals.
What is the exposure or risk?
The exact attack vector is unknown, but it likely involves exploiting vulnerabilities, stolen credentials, or compromised systems. A user may also unintentionally download the script through a phishing email. Once the attacker has access to the system, they can exfiltrate data and then encrypt data on the system. Since BitLocker is a native Windows feature, any machine with Windows Vista+ or Server 2008+ could be affected. Without regular backups, the risk of losing priceless data is high.
What are the recommendations?
LBT Technology Group recommends the following actions to protect your organization against ShrinkLocker:
- Maintain regular backups of data and store offline for crucial recovery in case of ransomware attacks.
- Ensure BitLocker has a strong password, and the recovery keys are stored in a secure location.
- Ensure systems are updated with the latest security patches to minimize exploit opportunities.
- Implement endpoint detection and response (EDR) solutions to proactively scan for threats and aid in threat detection and response.
- Implement the principle of least privilege to limit potential damage from compromised accounts.
- Monitor system activity for unusual behaviors that might indicate a ShrinkLocker attack, like suspicious VBScript activity or unexplained disk resizing.
- Enable network traffic logging and monitoring, including logging of both GET and POST requests. In case of infection, the requests made to the attacker's domain may contain passwords or keys.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.techradar.com/pro/security/a-new-ransomware-is-hijacking-windows-bitlocker-to-encrypt-and-steal-files
- https://securelist.com/ransomware-abuses-bitlocker/112643/
If you have any questions, please contact LBT's Sales Engineer.