A new strain of ransomware dubbed ShrinkLocker is being used by cyberattackers to target enterprise computers.
It exploits the Microsoft BitLocker encryption feature to encrypt the entire local drive and remove the recovery options before shutting down the PC. ShrinkLocker was discovered by cybersecurity firm Kaspersky, and analysts have observed variants in Mexico, Indonesia and Jordan.
ShrinkLocker is unique in that it can check the version of a device's Windows operating system to ensure it enables the appropriate BitLocker features, but deletes itself if it can't.
Although ShrinkLocker self-deletes after encrypting the target, Kaspersky analysts were able to discover how it works by studying a script left behind on a drive on a PC that was infected but did not have BitLocker configured.
Attackers might deploy ShrinkLocker on a device by exploiting unpatched vulnerabilities, stolen credentials or internet-facing services to gain access to servers.
It then renames the boot partitions with the attacker's email - onboardingbinder[at]proton[dot]me or conspiracyid9[at]protonmail[dot]com - and replaces existing BitLocker key protectors to prevent recovery.
It then enables BitLocker encryption on all of the device's drives.
ShrinkLocker only encrypts the local, fixed drive of the infected PC and does not infect network drives likely to help evade detection.
The 64-character key and some system information are sent to the attacker's server via an HTTP POST request to a randomly generated subdomain of 'trycloudflare[dot]com.
' This is a legitimate domain from CloudFlare that is intended to be used by developers for testing out CloudFlare Tunnel without adding a site to CloudFlare's DNS. The attackers exploit it here to hide their real address.
Finally, ShrinkLocker self-deletes its script and scheduled tasks, clears the logs, turns on the firewall and deletes all the rules before forcing a shutdown.
The new drive labels with the attacker's email instruct the user to contact them, implying a ransom demand for the decryption key.
Kaspersky experts have, so far, not been able to identify the source of the ShrinkLocker attacks or where the decryption keys and other device information are sent.
Some information about the attackers can be gleaned from the malware script.
The labels containing the attacker's email address can only be viewed if the infected device is booted by an admin in a recovery environment or with diagnostic tools, according to BleepingComputer.
The BitLocker recovery screen can have a custom note added, yet the attackers specifically chose not to create one.
Enable network traffic logging and monitoring, capturing both GET and POST requests, as infected systems may transmit passwords or keys to attacker domains.
BitLocker has been targeted by bad actors numerous times in the past, well before the emergence of ShrinkLocker.
In 2021, a hospital in Belgium had 40 servers and 100 TB of its data encrypted after an attacker exploited BitLocker, leading to delays in surgeries and the redirection of patients to other facilities.
The following year, another attacker targeted one of Russia's largest meat suppliers in the same way, before Microsoft reported the Iranian government had sponsored a number of BitLocker-based ransomware attacks that demanded thousands of U.S. dollars for the decryption key.
This Cyber News was published on www.techrepublic.com. Publication date: Thu, 30 May 2024 14:43:06 +0000