Romanian cybersecurity firm Bitdefender has launched a free decryptor to assist victims get well information encrypted utilizing the ShrinkLocker ransomware.
The decryptor is the results of a complete evaluation of ShrinkLocker’s interior workings, permitting the researchers to find a “specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted disks.”
ShrinkLocker was first documented in Could 2024 by Kaspersky, which discovered the malware’s use of Microsoft’s native BitLocker utility for encrypting recordsdata as a part of extortion assaults concentrating on Mexico, Indonesia, and Jordan.
Bitdefender, which investigated a ShrinkLocker incident concentrating on an unnamed healthcare firm within the Center East, stated the assault possible originated from a machine belonging to a contractor, as soon as once more highlighting how risk actors are more and more abusing trusted relationships to infiltrate the provision chain.
Within the subsequent stage, the risk actor moved laterally to an Lively Listing area controller by making use of reliable credentials for a compromised account, adopted by creating two scheduled duties for activating the ransomware course of.
Whereas the primary activity executed a Visible Primary Script (“Check.vbs”) that copied the ransomware program to each domain-joined machine, the second activity – scheduled for 2 days later — executed the domestically deployed ransomware (“Audit.vbs”).
The assault, Bitdefender stated, efficiently encrypted methods operating Home windows 10, Home windows 11, Home windows Server 2016, and Home windows Server 2019. That stated, the ShrinkLocker variant used is claimed to be a modified model of the unique model.
Described as easy but efficient, the ransomware stands out for the truth that it is written in VBScript, a scripting language that Microsoft stated is being deprecated beginning the second half of 2024. Plus, as an alternative of implementing its personal encryption algorithm, the malware weaponizes BitLocker to attain its targets.
The script is designed to assemble details about the system configuration and working system, after which it makes an attempt to test if BitLocker is already put in on a Home windows Server machine, and if not, installs it utilizing a PowerShell command after which performs a “forced reboot” utilizing Win32Shutdown.
However Bitdefender stated it famous a bug that causes this request to fail with a “Privilege Not Held” error, inflicting the VBScript to be caught in an infinite loop because of a failed reboot try.
“Even if the server is rebooted manually (e.g. by an unsuspecting administrator), the script does not have a mechanism to resume its execution after the reboot, meaning that the attack may be interrupted or prevented,” Martin Zugec, technical options director at Bitdefender, stated.
The ransomware is designed to generate a random password that is derived from system-specific info, resembling community visitors, system reminiscence, and disk utilization, utilizing it to encrypt the system’s drives.
The distinctive password is then uploaded to a server managed by the attacker. Following the restart, the person is prompted to enter the password to unlock the encrypted drive. The BitLocker display screen can also be configured to show the risk actor’s contact e-mail deal with to provoke the cost in alternate for the password.
That is not all. The script makes a number of Registry modifications to limit entry to the system by disabling distant RDP connections and turning off native password-based logins. As a part of its cleanup efforts, it additionally disables Home windows Firewall guidelines and deletes audit recordsdata.
Bitdefender additional identified that the title ShrinkLocker is deceptive because the namesake performance is restricted to legacy Home windows methods and that it does not really shrink partitions on present working methods.
“By using a combination of Group Policy Objects (GPOs) and scheduled tasks, it can encrypt multiple systems within a network in as little as 10 minutes per device,” Zugec famous. “As a result, a complete compromise of a domain can be achieved with very little effort.”
“Proactive monitoring of specific Windows event logs can help organizations identify and respond to potential BitLocker attacks, even in their early stages, such as when attackers are testing their encryption capabilities.”
“By configuring BitLocker to store recovery information in Active Directory Domain Services (AD DS) and enforcing the policy “Don’t allow BitLocker till restoration info is saved to AD DS for working system drives,” organizations can significantly reduce the risk of BitLocker-based attacks.”
