Cybersecurity researchers have discovered a new strain of ransomware that abuses Windows BitLocker to lock victims off their devices.
As reported by beepcomputerKaspersky named the new ransomware ShrinkLocker because, once it arrives, it shrinks the available non-boot partitions by 100 MB and creates new primary boot volumes of the same size. It then uses BitLocker, a full-disk encryption feature included with some versions of Microsoft Windows, to encrypt the files on the destination endpoint.
So far it has been seen to affect government agencies and manufacturing and pharmaceutical companies.
Maximum damage
For the uninitiated, BitLocker is a legitimate Windows feature, designed to protect data by providing encryption for entire volumes.
ShrinkLocker is not the first ransomware variant to use BitLocker to encrypt systems. beepcomputer highlighted that a hospital in Belgium was attacked with a strain of ransomware that used BitLocker to encrypt 100 TB of data on 40 servers, and in 2022, a meat producer and distributor in Russia called Miratorg Holding, suffered a similar fate.
But ShrinkLocker also comes “with previously unreported features to maximize attack damage,” Kaspersky warned.
Among other things, the encryptor does not drop a ransom note, which is standard practice. Instead, it labels the new boot partitions as email addresses, probably inviting victims to try to communicate that way.
Additionally, upon successful encryption, the ransomware will remove all BitLocker guards, denying victims any option to recover the BitLocker encryption key. The only people who own the key are the attackers, who obtain it through TryCloudflare. This is also a legitimate tool that developers use to test the CloudFlare tunnel, without needing to add a site to CloudFlare DNS.
So far, anonymous threat actors have compromised systems belonging to steel and vaccine manufacturing organizations in Mexico, Indonesia, and Jordan.