ShrinkLocker Ransomware

By Mezo in Ransomware

Translate To:

Numerous ransomware operators are questioning the necessity of integrating a crypto-locking mechanism into their malware threats, given the availability of Microsoft's robust encryption software within Windows. One notable instance highlighted by cybersecurity experts is ShrinkLocker. This ransomware variant establishes a fresh boot partition to encrypt corporate systems utilizing Windows BitLocker.

Table of Contents

Threat Actors Lock Data by Abusing Legitimate Windows Feature

Instances of ransomware employing BitLocker to encrypt computers are not uncommon. In one case, a threat actor leveraged this security feature within Windows to encrypt 100TB of data across 40 servers at a hospital in Belgium. Similarly, another attacker utilized BitLocker to encrypt systems belonging to a Moscow-based meat producer and distributor. Microsoft issued a warning in September 2022, revealing that an Iranian state-sponsored attacker had employed BitLocker to encrypt systems running Windows 10, Windows 11, or Windows Server 2016 and newer.

However, upon scrutinizing ShrinkLocker, experts caution that this threat exhibits previously undisclosed features aimed at amplifying the extent of the attack's impact.

ShrinkLocker is Executed Only When Certain Specifications are Met

ShrinkLocker, coded in Visual Basic Scripting (VBScript), a language introduced by Microsoft way back in 1996 and is now on its way out. Among its functionalities, the threat demonstrates the capability to identify the specific Windows version running on the target machine by utilizing Windows Management Instrumentation (WMI) with the Win32_OperatingSystem class.

The attack proceeds only under specific conditions, such as the current domain matching the target and the operating system (OS) version being newer than Vista. Otherwise, ShrinkLocker concludes automatically and self-deletes. When the target meets the attack's criteria, the malware utilizes the disk part utility in Windows to shrink every non-boot partition by 100MB, dividing the unallocated space into new primary volumes of identical sizes.

Researchers note that in Windows 2008 and 2012, ShrinkLocker Ransomware initially preserves the boot files along with the index of other volumes. Similar resize operations are conducted on other Windows OS versions, albeit with different code segments, as outlined in the researchers' technical analysis. Subsequently, the malware employs the BCDEdit command-line tool to reinstall the boot files on the newly generated partitions.

The ShrinkLocker Ransomware Renders the Data on Entire Drive Partitions Unusable

ShrinkLocker also modifies registry entries to disable remote desktop connections or enable BitLocker encryption on hosts without a Trusted Platform Module (TPM). This dedicated chip provides hardware-based, security-related functions.

The threat actor behind ShrinkLocker does not drop a ransom file to establish a communication channel with the victim. Instead, they provide a contact email address (onboardingbinder@proton.me, conspiracyid9@protonmail.com) as the label of the new boot partitions. However, this label won't be seen by admins unless they boot the device using a recovery environment or through other diagnostic tools, making it fairly easy to miss.

After encrypting the drives, the threat actor deletes the BitLocker protectors (e.g., TPM, PIN, startup key, password, recovery password, recovery key) to deny the victim any option to recover BitLocker's encryption key, which is sent to the attacker.

The key generated for encrypting files is a 64-character combination of random multiplication and replacement of a variable with 0-9 numbers, special characters, and the holoalphabetic sentence 'The quick brown fox jumps over the lazy dog.' The key is delivered through the TryCloudflare tool, a legitimate service for developers to experiment with CloudFlare's Tunnel without adding a site to CloudFlare's DNS.

In the final stage of the attack, ShrinkLocker forces the system to shut down for all the changes to take effect and leave the user with the drives locked and no BitLocker recovery options.

The ShrinkLocker Threat Actors may not be Financially Driven

BitLocker offers the option to craft a personalized message on recovery screens, providing an ideal platform for displaying an extortion message to victims. The absence of a prominently displayed ransom note and an email merely designated as a drive label might suggest that these attacks are intended to be more destructive in nature rather than driven by financial motives.

Researchers have uncovered that ShrinkLocker manifests in multiple variants and has been deployed against a government entity, as well as organizations within the steel and vaccine manufacturing sectors in Mexico, Indonesia, and Jordan.

Companies employing BitLocker on their systems are strongly advised to ensure the secure storage of recovery keys and maintain regular offline backups that are periodically tested. Furthermore, organizations are urged to deploy a properly configured Endpoint Protection Platform (EPP) solution to detect attempts at BitLocker abuse, enforce minimal user privileges, enable comprehensive logging and monitoring of network traffic (including both GET and POST requests), track events associated with VBS and PowerShell execution, and log pertinent scripts.