Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Windows BitLocker. Show all posts

New ShrinkLocker Ransomware Exploits BitLocker to Encrypt Files

 

The new ransomware strain, ShrinkLocker, is creating significant concerns by using Windows BitLocker to encrypt corporate systems through the creation of new boot partitions.

ShrinkLocker, named for its method of creating a boot volume by shrinking available non-boot partitions, has been targeting government entities and companies in the vaccine and manufacturing sectors.

Using BitLocker to encrypt computers isn't new. Previously, threat actors have used this security feature to encrypt 100TB of data on 40 servers at a Belgian hospital and to target a Moscow-based meat producer and distributor. In September 2022, Microsoft warned about an Iranian state-sponsored attacker using BitLocker to encrypt systems running Windows 10, Windows 11, or Windows Server 2016 and newer.

Kaspersky reports that ShrinkLocker includes previously unreported features designed to maximize damage. Written in Visual Basic Scripting (VBScript), ShrinkLocker detects the specific Windows version on the target machine using Windows Management Instrumentation (WMI) and proceeds only if certain conditions, like the current domain matching the target and the OS version being newer than Vista, are met. If not, ShrinkLocker deletes itself.

If the target meets the requirements, the malware uses the Windows diskpart utility to shrink each non-boot partition by 100MB, creating new primary volumes from the unallocated space. Kaspersky researchers noted that on Windows 2008 and 2012, ShrinkLocker saves the boot files along with the index of other volumes. The resize operations are carried out with different code on other Windows OS versions.

ShrinkLocker then uses the BCDEdit command-line tool to reinstall boot files on the new partitions. Additionally, it modifies registry entries to disable remote desktop connections and enable BitLocker encryption on hosts without a Trusted Platform Module (TPM), a security chip.

Dynamic malware analysis by Kaspersky confirmed the following registry changes made by ShrinkLocker:

- fDenyTSConnections = 1: disables RDP connections
- scforceoption = 1: enforces smart card authentication
- UseAdvancedStartup = 1: requires BitLocker PIN for pre-boot authentication
- EnableBDEWithNoTPM = 1: allows BitLocker without a compatible TPM chip
- UseTPM = 2: uses TPM if available
- UseTPMPIN = 2: requires a startup PIN with TPM if available
- UseTPMKey = 2: uses a startup key with TPM if available
- UseTPMKeyPIN = 2: uses a startup key and PIN with TPM if available
- EnableNonTPM = 1: allows BitLocker without a TPM chip, requiring a password or startup key on a USB flash drive
- UsePartialEncryptionKey = 2: requires a startup key with TPM
- UsePIN = 2: requires a startup PIN with TPM

The threat actor behind ShrinkLocker does not drop a ransom note but instead provides a contact email address within the label of the new boot partitions. This label is only visible through a recovery environment or diagnostic tools, making it easy to miss. After encrypting the drives, the attacker deletes the BitLocker protectors, such as TPM, PIN, startup key, password, recovery password, and recovery key, preventing the victim from recovering BitLocker’s encryption key, which is sent to the attacker.

The encryption key is a 64-character string generated by combining numbers, special characters, and the holoalphabetic sentence "The quick brown fox jumps over the lazy dog." This key is transmitted via the TryCloudflare tool, a legitimate service for experimenting with Cloudflare’s Tunnel without adding a site to Cloudflare’s DNS.

In the final stage, ShrinkLocker forces a system shutdown, leaving the user with locked drives and no BitLocker recovery options. BitLocker’s custom message feature, which could display an extortion message, is not used, suggesting these attacks may be more destructive than financially motivated.

Kaspersky discovered multiple ShrinkLocker variants used against government entities and organizations in the steel and vaccine manufacturing sectors in Mexico, Indonesia, and Jordan.

Cristian Souza, an incident response specialist at Kaspersky, advises companies using BitLocker to securely store recovery keys, maintain regular offline backups, use a properly configured Endpoint Protection Platform (EPP) to detect BitLocker abuse, enable minimal user privileges, and monitor network traffic and script executions.