Romanian cybersecurity firm Bitdefender has launched a free decryptor to assist victims recuperate information encrypted utilizing the ShrinkLocker ransomware.
The decryptor is the results of a complete evaluation of ShrinkLocker’s inside workings, permitting the researchers to find a “particular window of alternative for information restoration instantly after the elimination of protectors from BitLocker-encrypted disks.”
ShrinkLocker was first documented in Could 2024 by Kaspersky, which discovered the malware’s use of Microsoft’s native BitLocker utility for encrypting information as a part of extortion assaults focusing on Mexico, Indonesia, and Jordan.
Bitdefender, which investigated a ShrinkLocker incident focusing on an unnamed healthcare firm within the Center East, mentioned the assault doubtless originated from a machine belonging to a contractor, as soon as once more highlighting how menace actors are more and more abusing trusted relationships to infiltrate the provision chain.
Within the subsequent stage, the menace actor moved laterally to an Energetic Listing area controller by making use of reputable credentials for a compromised account, adopted by creating two scheduled duties for activating the ransomware course of.
Whereas the primary process executed a Visible Fundamental Script (“Test.vbs”) that copied the ransomware program to each domain-joined machine, the second process – scheduled for 2 days later — executed the regionally deployed ransomware (“Audit.vbs”).
The assault, Bitdefender mentioned, efficiently encrypted techniques operating Home windows 10, Home windows 11, Home windows Server 2016, and Home windows Server 2019. That mentioned, the ShrinkLocker variant used is alleged to be a modified model of the unique model.
Described as easy but efficient, the ransomware stands out for the truth that it is written in VBScript, a scripting language that Microsoft mentioned is being deprecated beginning the second half of 2024. Plus, as an alternative of implementing its personal encryption algorithm, the malware weaponizes BitLocker to attain its objectives.
The script is designed to collect details about the system configuration and working system, after which it makes an attempt to verify if BitLocker is already put in on a Home windows Server machine, and if not, installs it utilizing a PowerShell command after which performs a “compelled reboot” utilizing Win32Shutdown.
However Bitdefender mentioned it famous a bug that causes this request to fail with a “Privilege Not Held” error, inflicting the VBScript to be caught in an infinite loop attributable to a failed reboot try.
“Even when the server is rebooted manually (e.g. by an unsuspecting administrator), the script doesn’t have a mechanism to renew its execution after the reboot, which means that the assault could also be interrupted or prevented,” Martin Zugec, technical options director at Bitdefender, mentioned.
The ransomware is designed to generate a random password that is derived from system-specific data, resembling community visitors, system reminiscence, and disk utilization, utilizing it to encrypt the system’s drives.
The distinctive password is then uploaded to a server managed by the attacker. Following the restart, the consumer is prompted to enter the password to unlock the encrypted drive. The BitLocker display can also be configured to show the menace actor’s contact e-mail tackle to provoke the fee in alternate for the password.
That is not all. The script makes a number of Registry modifications to limit entry to the system by disabling distant RDP connections and turning off native password-based logins. As a part of its cleanup efforts, it additionally disables Home windows Firewall guidelines and deletes audit information.
Bitdefender additional identified that the identify ShrinkLocker is deceptive because the namesake performance is proscribed to legacy Home windows techniques and that it does not truly shrink partitions on present working techniques.
“By utilizing a mix of Group Coverage Objects (GPOs) and scheduled duties, it could possibly encrypt a number of techniques inside a community in as little as 10 minutes per machine,” Zugec famous. “Because of this, an entire compromise of a website might be achieved with little or no effort.”
“Proactive monitoring of particular Home windows occasion logs may also help organizations determine and reply to potential BitLocker assaults, even of their early phases, resembling when attackers are testing their encryption capabilities.”
“By configuring BitLocker to retailer restoration data in Energetic Listing Area Providers (AD DS) and imposing the coverage “Don’t allow BitLocker till restoration data is saved to AD DS for working system drives,” organizations can considerably scale back the danger of BitLocker-based assaults.”
