Romanian cybersecurity firm Bitdefender has launched a free decryptor to assist victims get better information encrypted utilizing the ShrinkLocker ransomware.
The decryptor is the results of a complete evaluation of ShrinkLocker’s inside workings, permitting the researchers to find a “particular window of alternative for information restoration instantly after the elimination of protectors from BitLocker-encrypted disks.”
ShrinkLocker was first documented in Might 2024 by Kaspersky, which discovered the malware’s use of Microsoft’s native BitLocker utility for encrypting information as a part of extortion assaults concentrating on Mexico, Indonesia, and Jordan.
Bitdefender, which investigated a ShrinkLocker incident concentrating on an unnamed healthcare firm within the Center East, mentioned the assault seemingly originated from a machine belonging to a contractor, as soon as once more highlighting how menace actors are more and more abusing trusted relationships to infiltrate the provision chain.
Within the subsequent stage, the menace actor moved laterally to an Lively Listing area controller by making use of legit credentials for a compromised account, adopted by creating two scheduled duties for activating the ransomware course of.
Whereas the primary activity executed a Visible Fundamental Script (“Examine.vbs”) that copied the ransomware program to each domain-joined machine, the second activity – scheduled for 2 days later — executed the regionally deployed ransomware (“Audit.vbs”).
The assault, Bitdefender mentioned, efficiently encrypted programs operating Home windows 10, Home windows 11, Home windows Server 2016, and Home windows Server 2019. That mentioned, the ShrinkLocker variant used is alleged to be a modified model of the unique model.
Described as easy but efficient, the ransomware stands out for the truth that it is written in VBScript, a scripting language that Microsoft mentioned is being deprecated beginning the second half of 2024. Plus, as a substitute of implementing its personal encryption algorithm, the malware weaponizes BitLocker to realize its targets.
The script is designed to assemble details about the system configuration and working system, after which it makes an attempt to examine if BitLocker is already put in on a Home windows Server machine, and if not, installs it utilizing a PowerShell command after which performs a “compelled reboot” utilizing Win32Shutdown.
However Bitdefender mentioned it famous a bug that causes this request to fail with a “Privilege Not Held” error, inflicting the VBScript to be caught in an infinite loop because of a failed reboot try.
“Even when the server is rebooted manually (e.g. by an unsuspecting administrator), the script doesn’t have a mechanism to renew its execution after the reboot, that means that the assault could also be interrupted or prevented,” Martin Zugec, technical options director at Bitdefender, mentioned.
The ransomware is designed to generate a random password that is derived from system-specific data, resembling community site visitors, system reminiscence, and disk utilization, utilizing it to encrypt the system’s drives.
The distinctive password is then uploaded to a server managed by the attacker. Following the restart, the consumer is prompted to enter the password to unlock the encrypted drive. The BitLocker display screen can be configured to show the menace actor’s contact electronic mail tackle to provoke the fee in alternate for the password.
That is not all. The script makes a number of Registry modifications to limit entry to the system by disabling distant RDP connections and turning off native password-based logins. As a part of its cleanup efforts, it additionally disables Home windows Firewall guidelines and deletes audit information.
Bitdefender additional identified that the identify ShrinkLocker is deceptive because the namesake performance is proscribed to legacy Home windows programs and that it does not really shrink partitions on present working programs.
“By utilizing a mix of Group Coverage Objects (GPOs) and scheduled duties, it might probably encrypt a number of programs inside a community in as little as 10 minutes per gadget,” Zugec famous. “Consequently, a whole compromise of a site will be achieved with little or no effort.”
“Proactive monitoring of particular Home windows occasion logs may help organizations determine and reply to potential BitLocker assaults, even of their early levels, resembling when attackers are testing their encryption capabilities.”
“By configuring BitLocker to retailer restoration data in Lively Listing Area Providers (AD DS) and implementing the coverage “Don’t allow BitLocker till restoration data is saved to AD DS for working system drives,” organizations can considerably cut back the danger of BitLocker-based assaults.”
