By LBT Technology Group, LLC. on Wednesday, 05 June 2024
Category: Security

Cybersecurity Threat Advisory: New ShrinkLocker ransomware strains

Threat update

ShrinkLocker is a recent ransomware strain that leverages a legitimate Windows encryption feature, BitLocker, to lock victims out of their devices. It shrinks the partition, increasing the impact of the attack. 

Technical Detail and Additional Info

What is the threat?

ShrinkLocker uses VBScript to identify the operating system (OS) and manipulate disks. It shrinks available non-boot partitions by 100 MB and creates new primary boot volumes of the same size. It then leverages BitLocker to encrypt the entire target drive. Then it deletes the BitLocker recovery keys and disables remote access. It also self-deletes after execution. When the user reboots the device, a BitLocker recovery screen appears, yet no recovery options are available. ShrinkLocker does not drop a ransom note. Instead, it labels new boot partitions as email addresses, which will entice victims to try to communicate via email. However, the new partition labels are only viewable by an administrator in a recovery environment or with diagnostic tools.

Why is it noteworthy?

The fact that the attackers appear to have intentionally made it difficult to contact them suggests their motives are driven by disruption and destruction rather than financial gain. Shrinking the partition is a unique tactic that maximizes the impact of the attack. Though no specific group is known to be the source of the attack, researchers note that the attackers would be a skilled group with an excellent understanding of Windows internals. 

What is the exposure or risk?

The exact attack vector is unknown, but it likely involves exploiting vulnerabilities, stolen credentials, or compromised systems. A user may also unintentionally download the script through a phishing email. Once the attacker has access to the system, they can exfiltrate data and then encrypt data on the system. Since BitLocker is a native Windows feature, any machine with Windows Vista+ or Server 2008+ could be affected. Without regular backups, the risk of losing priceless data is high. 

What are the recommendations?

 LBT Technology Group recommends the following actions to protect your organization against ShrinkLocker:

References

 For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact LBT's Sales Engineer.

Related Posts

Leave Comments