Newly discovered ransomware uses BitLocker to encrypt victims’ data

A previously unknown piece of ransomware, called ShrinkLocker, encrypts victims’ data using the BitLocker feature built into the Windows operating system.

BitLocker is a full volume encryptor that debuted in 2007 with the release of Windows Vista. Users use it to encrypt entire hard drives to prevent people from reading or modifying data if they gain physical access to the drive. As of the release of Windows 10, BitLocker has used the 128-bit and 256-bit XTS-AES encryption algorithm by default, giving the feature additional protection against attacks that rely on manipulation of ciphertext to cause predictable changes in the plain text.

Recently, researchers from security firm Kaspersky found a threat actor using BitLocker to encrypt data on systems located in Mexico, Indonesia, and Jordan. The researchers named the new ransomware ShrinkLocker, both because of its use of BitLocker and because it reduces the size of each non-boot partition by 100 MB and divides the newly unallocated space into new primary partitions of the same size.

“Our incident response and malware analysis are evidence that attackers are constantly refining their tactics to evade detection,” the researchers wrote on Friday. “In this incident, we observed abuse of the native BitLocker feature for unauthorized data encryption.”

ShrinkLocker is not the first malware to exploit BitLocker. In 2022, Microsoft reported that ransomware attackers with ties to Iran also used the tool to encrypt files. That same year, Russian agricultural company Miratorg was attacked by ransomware that used BitLocker to encrypt files residing on the system storage of infected devices.

Once installed on a device, ShrinkLocker runs a VisualBasic script that first invokes the Windows Management Instrumentation and the Win32_OperatingSystem class to obtain information about the operating system.

“For each object within the query results, the script checks whether the current domain is different from the target one,” the Kaspersky researchers wrote. “If so, the script ends automatically. After that, it checks if the OS name contains ‘xp’, ‘2000’, ‘2003’ or ‘vista’, and if the Windows version matches any of these, the script automatically ends and is deleted.”

Enlarge / A screenshot showing the initial conditions for the run.

Kaspersky

The script then continues using WMI to query information about the operating system. It continues performing disk resize operations, which may vary depending on the operating system version detected. The ransomware performs these operations only on local fixed drives. The decision to leave network drives alone is likely motivated by the desire not to activate network detection protections.

Finally, ShrinkLocker disables protections designed to protect the BitLocker encryption key and removes them. It then allows the use of a numeric password, both as a guard against anyone else regaining control of BitLocker and as an encryptor of system data. The reason for removing default protectors is to disable key recovery features by the device owner. ShrinkLocker then generates a 64-character encryption key by randomly multiplying and replacing:

  • A variable with the numbers 0 to 9;
  • The famous pangram, “The quick brown fox jumps over the lazy dog,” in lowercase and uppercase, containing all the letters of the English alphabet;
  • Special characters.

After several additional steps, the data is encrypted. The next time the device restarts, the screen will look like this:

Screenshot showing the BitLocker recovery screen.
Enlarge / Screenshot showing the BitLocker recovery screen.

Kaspersky

Decrypting drives without the key provided by the attacker is difficult and probably impossible in many cases. While it is possible to recover some of the passphrases and fixed values ​​used to generate the keys, the script uses variable values ​​that are different on each infected device. These variable values ​​are not easy to recover.

There are no ShrinkLocker-specific protections to prevent successful attacks. Kaspersky advises the following:

  • Use robust, properly configured endpoint protection to detect threats that attempt to abuse BitLocker;
  • Implement Managed Detection and Response (MDR) to proactively scan for threats;
  • If BitLocker is enabled, ensure that you use a strong password and that recovery keys are stored in a secure location;
  • Ensure that users have only least privileges. This prevents them from enabling encryption features or changing registry keys on their own;
  • Enable logging and monitoring of network traffic. Configure logging of GET and POST requests. In case of infection, requests made to the attacker’s domain may contain passwords or keys;
  • Monitor events associated with VBS and PowerShell execution, then save logged scripts and commands to an external repository that stores activity that can be deleted locally;
  • Make backups frequently, save them offline, and test them.

Friday’s report also includes indicators that organizations can use to determine if they have been attacked by ShrinkLocker.

Listing image from Getty Images

Leave a Comment