ShrinkLocker Ransomware: What You Need To Know


What is ShrinkLocker?

ShrinkLocker is a family of ransomware that encrypts an organisation’s data and demands a ransom payment in order to restore access to their files. It was first identified by security researchers in May 2024, after attacks were observed in Mexico, Indonesia, and Jordan.

So far, so normal. What makes it noteworthy?

The ShrinkLocker ransomware is unusual because it uses VBScript and Microsoft Windows’s legitimate security tool BitLocker to assist with the encryption of victims’ files.

Hang on. You mean BitLocker, the full-disk-encryption feature that’s supposed to boost security by preventing anyone without proper authentication from accessing your files?

That’s the one. Ironic isn’t it? BitLocker, for anyone who doesn’t know, is a feature built into Windows that uses strong encryption to scramble data on your computer’s hard drive. If you don’t know the password to unlock a computer, you can’t access its data.

Which is great if your laptop is stolen by a thief…

…but not so good if ShrinkLocker is the one that’s chosen to scramble your data with Bitlocker, and not told you the password it used. Your computer won’t be able to tell the difference between you and a thief – and keep you both locked out. Anyone starting up the computer will be faced with the standard BitLocker prompt for a password.

Has BitLocker been used in this way before by cybercriminals?

Yes, for instance in January 2021 a Belgian hospital had 100TB of its data encrypted on 40 of its servers using BitLocker. The following year a Moscow-based meat producer and distributor reportedly had its systems encrypted by a malicious attacker using BitLocker.

Perhaps the most high-profile abuse of the built-in BitLocker tool has been by the Iranian cybercrime gang Storm-0270 (also known as Nemesis Kitten), which Microsoft claimed in September 2022 had been responsible for multiple ransomware attacks.

So, does ShrinkLocker leave a ransom note?

No, instead it changes the names of all of your system drives to a contact address for the attacker.

So how do I get my hands on the password without paying up?

Unfortunately, the password used to encrypt your drive has been stored on the attacker’s own server. 

But the good news is that security firm Bitdefender has released a free decryption tool that can help ShrinkLocker victims recover their files.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.



Source link

Leave a Comment