Romanian cybersecurity firm Bitdefender has released a free decryptor to help victims recover data encrypted by the ShrinkLocker ransomware.
The decoder is the result of a comprehensive analysis of ShrinkLocker’s inner workings, allowing researchers to discover “a specific window of opportunity to recover data immediately after the protectors are removed from BitLocker-encrypted drives.”
ShrinkLocker was first documented in May 2024 Kaspersky discovered that the malware was using Microsoft’s proprietary BitLocker utility to encrypt files as part of ransomware attacks targeting Mexico, Indonesia and Jordan.
Bitdefender, which investigated the ShrinkLocker incident targeting an unnamed healthcare company in the Middle East, said the attack likely came from a machine owned by a contractor, underscoring once again that threat actors are becoming more abuse of trust to penetrate the supply chain.
In the next step, the threat actor moved sideways to the Active Directory domain controller using legitimate credentials for the compromised account, then created two scheduled tasks to activate the ransomware process.
While the first task executed a Visual Basic script (“Check.vbs”) that copied the ransomware to each domain-joined machine, the second task, scheduled two days later, executed the locally deployed ransomware (“Audit. vbs”) .
According to Bitdefender, the attack successfully encrypted systems running Windows 10, Windows 11, Windows Server 2016 and Windows Server 2019. However, the ShrinkLocker variant used is believed to be a modified version of the original version.
Described as simple but effective, the ransomware is notable for being written in VBScript, a scripting language that Microsoft says is outdated starting from the second half of 2024. Also, instead of implementing its own encryption algorithm, the malware uses BitLocker to achieve its goals.
The script is designed to gather system configuration and operating system information, then it tries to check if BitLocker is already installed on the Windows Server machine, and if not, installs it using a PowerShell command, then performs a “forced reboot” using Win32 exception.
But Bitdefender said it found a bug that causes this request to fail with a “Privilege Denied” error, causing VBScript to get stuck in an infinite loop due to a failed reboot attempt.
“Even if the server is manually rebooted (for example by an unsuspecting administrator), the script has no mechanism to resume its execution after a reboot, which means the attack can be interrupted or prevented,” Martin Zugek, Director of Technical Solutions, Bitdefender. , said.
The ransomware is designed to generate a random password derived from system information such as network traffic, system memory, and disk usage, using it to encrypt system drives.
The unique password is then uploaded to a server controlled by the attacker. After rebooting, the user is prompted for a password to unlock the encrypted drive. The BitLocker screen is also configured to display the threat actor’s contact email address to initiate payment in exchange for the password.
That’s not all. The script makes several modifications to the registry to restrict access to the system by disabling remote RDP connections and disabling password-based local logins. As part of its cleanup efforts, it also disables Windows Firewall rules and deletes audit files.
Bitdefender also noted that the name ShrinkLocker is misleading, as the functionality of the same name is limited to older Windows systems and that it does not actually shrink partitions on modern operating systems.
“Using a combination of Group Policy Objects (GPOs) and scheduled tasks, it can encrypt multiple systems on a network in just 10 minutes per device,” Zugek noted. “As a result, a complete domain compromise can be achieved with very little effort.”
“Proactively monitoring certain Windows event logs can help organizations identify and respond to potential BitLocker attacks even at an early stage, such as when attackers are testing their encryption capabilities.”
“By configuring BitLocker to store recovery information in Active Directory Domain Services (AD DS) and enforcing a policy of ‘Do not enable BitLocker until recovery information is stored in AD DS for operating system drives,’ organizations can significantly reduce the risk of BitLocker-based attacks”.
