Romanian cybersecurity firm Bitdefender has launched a free decryptor to assist victims get well information encrypted utilizing the ShrinkLocker ransomware.
The decryptor is the results of a complete evaluation of ShrinkLocker’s inside workings, permitting the researchers to find a “particular window of alternative for information restoration instantly after the removing of protectors from BitLocker-encrypted disks.”
ShrinkLocker was first documented in Could 2024 by Kaspersky, which discovered the malware’s use of Microsoft’s native BitLocker utility for encrypting information as a part of extortion assaults concentrating on Mexico, Indonesia, and Jordan.
Bitdefender, which investigated a ShrinkLocker incident concentrating on an unnamed healthcare firm within the Center East, stated the assault doubtless originated from a machine belonging to a contractor, as soon as once more highlighting how menace actors are more and more abusing trusted relationships to infiltrate the provision chain.
Within the subsequent stage, the menace actor moved laterally to an Lively Listing area controller by making use of official credentials for a compromised account, adopted by creating two scheduled duties for activating the ransomware course of.
Whereas the primary activity executed a Visible Primary Script (“Verify.vbs”) that copied the ransomware program to each domain-joined machine, the second activity – scheduled for 2 days later — executed the regionally deployed ransomware (“Audit.vbs”).
The assault, Bitdefender stated, efficiently encrypted techniques operating Home windows 10, Home windows 11, Home windows Server 2016, and Home windows Server 2019. That stated, the ShrinkLocker variant used is alleged to be a modified model of the unique model.
Described as easy but efficient, the ransomware stands out for the truth that it is written in VBScript, a scripting language that Microsoft stated is being deprecated beginning the second half of 2024. Plus, as an alternative of implementing its personal encryption algorithm, the malware weaponizes BitLocker to attain its objectives.
The script is designed to assemble details about the system configuration and working system, after which it makes an attempt to test if BitLocker is already put in on a Home windows Server machine, and if not, installs it utilizing a PowerShell command after which performs a “pressured reboot” utilizing Win32Shutdown.
However Bitdefender stated it famous a bug that causes this request to fail with a “Privilege Not Held” error, inflicting the VBScript to be caught in an infinite loop as a consequence of a failed reboot try.
“Even when the server is rebooted manually (e.g. by an unsuspecting administrator), the script doesn’t have a mechanism to renew its execution after the reboot, which means that the assault could also be interrupted or prevented,” Martin Zugec, technical options director at Bitdefender, stated.
The ransomware is designed to generate a random password that is derived from system-specific info, comparable to community site visitors, system reminiscence, and disk utilization, utilizing it to encrypt the system’s drives.
The distinctive password is then uploaded to a server managed by the attacker. Following the restart, the consumer is prompted to enter the password to unlock the encrypted drive. The BitLocker display screen can be configured to show the menace actor’s contact electronic mail deal with to provoke the fee in trade for the password.
That is not all. The script makes a number of Registry modifications to limit entry to the system by disabling distant RDP connections and turning off native password-based logins. As a part of its cleanup efforts, it additionally disables Home windows Firewall guidelines and deletes audit information.
Bitdefender additional identified that the identify ShrinkLocker is deceptive because the namesake performance is restricted to legacy Home windows techniques and that it does not really shrink partitions on present working techniques.
“Through the use of a mixture of Group Coverage Objects (GPOs) and scheduled duties, it may well encrypt a number of techniques inside a community in as little as 10 minutes per system,” Zugec famous. “Consequently, a whole compromise of a website will be achieved with little or no effort.”
“Proactive monitoring of particular Home windows occasion logs can assist organizations determine and reply to potential BitLocker assaults, even of their early phases, comparable to when attackers are testing their encryption capabilities.”
“By configuring BitLocker to retailer restoration info in Lively Listing Area Companies (AD DS) and implementing the coverage “Don’t allow BitLocker till restoration info is saved to AD DS for working system drives,” organizations can considerably scale back the danger of BitLocker-based assaults.”