Newly discovered ransomware uses BitLocker to encrypt victim data
Is ShrinkLocker Ransomware Unstoppable?
A new ransomware named ShrinkLocker has been identified by Kaspersky researchers, utilizing BitLocker, a native Windows encryption tool, to lock data on systems in Mexico, Indonesia, and Jordan. ShrinkLocker not only encrypts data but also resizes non-boot partitions, complicating recovery efforts.
This ransomware variant is particularly insidious as it manipulates BitLocker's settings to prevent recovery of the encryption key, using a complex script that checks system parameters before executing. Kaspersky's findings highlight the evolving tactics of cybercriminals and the need for robust cybersecurity measures to counter such threats.
How does ShrinkLocker disable the default protection mechanisms of BitLocker?
ShrinkLocker, a ransomware variant, employs a methodical approach to disable the default protection mechanisms of BitLocker. After initiating its encryption process, ShrinkLocker strategically disables and deletes the BitLocker protectors. These protectors include elements such as the TPM (Trusted Platform Module), PINs, startup keys, passwords, recovery passwords, and recovery keys16. By removing these protectors, ShrinkLocker effectively prevents any form of recovery of the BitLocker encryption key by the device owner, thereby securing the encryption under the control of the attackers256. This action is part of its broader strategy to lock out users and maintain control over the encrypted data, making unauthorized decryption exceedingly difficult without the attacker-supplied key5.
What is ShrinkLocker and how does it utilize the BitLocker feature in Windows to encrypt data?
ShrinkLocker is a previously unknown piece of ransomware that encrypts victim data using the BitLocker feature built into the Windows operating system1. BitLocker is a full-volume encryptor that encrypts entire hard drives to prevent unauthorized access to data. ShrinkLocker utilizes BitLocker by shrinking the size of each non-boot partition by 100 MB and splitting the newly unallocated space into new primary partitions of the same size. It then disables protections designed to secure the BitLocker encryption key and deletes them, enabling the use of a numerical password for encryption. ShrinkLocker generates a 64-character encryption key using random multiplication and replacement and sends it to the attacker. This makes decrypting drives without the attacker-supplied key difficult and likely impossible in many cases.