ShrinkLocker: Manipulating BitLocker for Ransomware Extortion
In the world of cyber threats, attackers always find new ways to bypass defenses. They might use tricky techniques like hiding their code, employing crypters, or obfuscating the code. One recent tactic involves using the operating system itself as a weapon.
You see, there's this thing called BitLocker, meant to keep your data safe. But these attackers have figured out how to turn it into a weapon. They use it to lock up your files and demand money to unlock them. This has been observed in places like Mexico, Indonesia, and Jordan.
What Is ShrinkLocker
A new type of ransomware called ShrinkLocker is now hitting business computers. This malware sneaks in and uses Microsoft BitLocker to lock up the whole local drive. It then removes recovery options and shuts down the computer.
What is VBScript
VBScript, or Visual Basic Scripting Edition, is a scripting language developed by Microsoft. It is based on the Visual Basic programming language and is primarily used for scripting tasks and automating processes on Windows operating systems. VBScript is often used for tasks such as system administration, file manipulation, and web page automation. It is commonly used in conjunction with technologies like Windows Script Host (WSH) and Active Server Pages (ASP). While not as widely used as it once was, VBScript is still supported on Windows systems for compatibility with legacy applications and scripts.
The Finding
Kaspersky Lab specialists have sounded the alarm on a new ransomware called ShrinkLocker. It's targeting corporate devices, especially those in industrial, pharmaceutical, and government sectors. This malware is like a digital thief, sneaking into your computer and encrypting everything in sight.
How does it work? Well, the attackers are using a crafty malicious script written in VBScript to do their dirty work. This script checks what version of Windows you're using and then activates BitLocker accordingly. It's like a silent intruder, slipping past your defenses without you even noticing.
Once activated, BitLocker encrypts the hard drive partitions, locking users out of their own files. The attackers even go as far as creating a new boot partition to ensure you can't access your computer without their permission.
BitLocker is presently available exclusively on specific editions of Windows, such as Pro, Enterprise, Education, and Ultimate. However, with the recent release of Windows 24H2, it's now automatically activated across all versions. This expansion significantly broadens the potential scope of ShrinkLocker victims
Disk Manipulation
The malware executes a series of operations aimed at resizing the disk, with variations depending on the specific version of the operating system. For instance, when targeting local disks on Windows Server 2008 and 2012, the malicious script first identifies the primary boot partition and records this crucial information. Additionally, it logs the indexes of other partitions for further manipulation using diskpart utility.
- Reduce the size of each non-boot partition by 100 MB, creating 100 MB of unallocated space on each partition except the boot volume.
- Divide unallocated space into new primary partitions, each allocated 100 MB.
- Format partitions using the override option, which forces the volume to be unmounted if necessary, and then determine the file system and drive letter for each of them.
- Activate partitions.
- If the "reduce" procedure is successful, use "ok" as a variable, and allow the script to continue running.
Operations for reducing partitions on other versions of the OS are generally similar, although they are implemented slightly differently. In addition, attackers disable and remove security tools used to protect the BitLocker encryption key so that the user cannot recover them. The attack script also changes the label of new boot partitions to the attackers' email address so that victims can contact them.
Stole The Keys
Next, the malicious script sends information about the system and the encryption key generated on the infected machine to the server of its operators. After that, it “covers its tracks”: it deletes logs and various files that can help in studying the attack.
At the final stage, the malware forcibly blocks access to the system, after which the victim sees a message on the screen: “There are no BitLocker recovery options on your computer.”
Changing the parameters of hard drive partitions plays a key role in these attacks: this gives attackers the opportunity to boot the system with encrypted files.
Mitigations
- Consider using BitLocker or alternative encryption tools like VeraCrypt to safeguard sensitive corporate data. However, take precautions to prevent misuse by attackers.
- Deploy a robust, properly configured EPP solution to detect and thwart threats attempting to exploit BitLocker.
- Implement Managed Detection and Response (MDR) to proactively scan for potential threats.
- If BitLocker is enabled, ensure strong password usage and securely store recovery keys.
- Restrict user privileges to minimize the risk of unauthorized encryption feature activation or registry key alterations.
- Enable network traffic logging and monitoring, including logging of both GET and POST requests to detect suspicious activity related to attacker domains.
- Monitor VBS and PowerShell execution events, saving logged scripts and commands to an external repository for future reference.
- Regularly perform offline backups and verify their integrity through testing.
Sources
1: SecureList by Kaspersky: https://securelist.com/ransomware-abuses-bitlocker/112643/