A new ransomware hijacks Windows BitLocker to encrypt and steal files
Cybersecurity researchers have discovered a new strain of ransomware that abuses Windows BitLocker to keep victims out of their devices.
As reported by BleepingComputer, Kaspersky named the new ransomware ShrinkLocker, because once it hits, it shrinks available non-bootable partitions by 100 MB and creates new primary boot volumes of the same size. It then uses BitLocker, a full disk encryption feature included with some versions of Microsoft Windows, to encrypt the files on the target endpoint.
So far, government agencies and companies in the manufacturing and pharmaceutical sectors have been affected.
Maximum damage
For the uninitiated, BitLocker is a legitimate Windows feature designed to protect data by providing encryption for entire volumes.
ShrinkLocker is not the first ransomware variant that BitLocker uses to encrypt its systems. BleepingComputer highlighted that a hospital in Belgium was hit by a ransomware variant that used BitLocker to encrypt 100 TB of data on 40 servers, and that in 2022 a meat producer and distributor in Russia called Miratorg Holding suffered a similar fate.
But ShrinkLocker also comes “with previously unreported features to maximize the damage of the attack,” Kaspersky warned.
Among other things, the encryptor does not leave a ransom note, which is standard. Instead, it labels new boot partitions as email addresses, likely inviting victims to try to communicate that way.
Moreover, after the successful encryption, the ransomware will remove all BitLocker protectors, leaving the victims with no way to recover the BitLocker encryption key. The only person(s) who hold the key are the attackers, who obtain it through TryCloudflare. This is also a legitimate tool that developers use to test CloudFlare’s tunnel without having to add a site to CloudFlare’s DNS.
So far, the unnamed threat actors have compromised systems belonging to steel and vaccine production organizations in Mexico, Indonesia and Jordan.