Bitdefender has launched a decryptor for the ‘ShrinkLocker’ ransomware pressure, which makes use of Home windows’ built-in BitLocker drive encryption software to lock sufferer’s recordsdata.
Found in Might 2024 by researchers at cybersecurity firm Kaspersky, ShrinkLocker lacks the sophistication of different ransomware households however integrates options that may maximize the injury of an assault.
In keeping with Bitdefender’s evaluation, the malware seems to have been repurposed from benign ten-year-old code, utilizing VBScript, and leverages usually outdated strategies.
The researchers notice that ShrinkLocker’s operators appear to be low-skilled, utilizing redundant code and typos, forsaking reconnaissance logs within the type of textual content recordsdata, and depend on available instruments.
Nonetheless, the risk actor has had profitable assaults on company targets.
In a report at the moment, Bitdefender highlights a ShrinkLocker assault in opposition to a healthcare group the place attackers encrypted Home windows 10, Home windows 11, and Home windows Server units throughout the community, together with backups.
The encryption course of completed in 2.5 hours and the group misplaced entry to crucial programs, probably going through difficulties in offering affected person care.
Bitdefender is releasing a free decryption software that may assist ShrinkLocker victims get better their recordsdata.
ShrinkLocker assaults
As a substitute of utilizing customized encryption implementations like conventional ransomware, ShrinkLocker makes use of Home windows BitLocker with a randomly generated password that’s despatched to the attacker.
The malware first runs a Home windows Administration Instrumentation (WMI) question to checks if BitLocker is offered on the goal system, and installs the software if not current.
Subsequent, it removes all default protections that maintain the drive from being encrypted by chance. For velocity, it makes use of the ‘-UsedSpaceOnly’ flag to have BitLocker solely encrypt occupied house on the disk.
The random password is generated utilizing community visitors and reminiscence utilization knowledge, so there aren’t any patterns to make brute-forcing possible.
The ShrinkLocker script may also delete and reconfigure all BitLocker protectors, to make harder the restoration of the encryption keys.
“Protectors are mechanisms utilized by BitLocker to guard the encryption key. They’ll embody {hardware} protectors like TPMs or software program protectors like passwords or restoration keys. By deleting all protectors, the script goals to make it not possible for the sufferer to get better their knowledge or decrypt the drive,” Bitdefender explains.
For propagation, ShrinkLocker makes use of Group Coverage Objects (GPOs) and scheduled duties, modifies Group Coverage settings on Lively Listing area controllers, and creates duties for all domain-joined machines to make sure the encryption of all drives on the compromised community.
Supply: Bitdefender
After reboot, victims see a BitLocker password display that additionally contains the risk actor’s contact particulars.
Supply: Bitdefender
Bitdefender releases decryptor
Bitdefender created and launched a decryptor that reverses the sequence during which ShrinkLocker deletes and reconfigures BitLocker’s protectors.
The researchers say that they recognized “a particular window of alternative for knowledge restoration instantly after the elimination of protectors from BitLocker-encrypted disks,” which permits them to decrypt and get better the password set by the attacker.
This makes it doable to reverse the encryption course of and produce the drives again to their earlier, unencrypted state.
ShrinkLocker victims can obtain the software and use it from a USB drive related to the impacted programs. When the BitLocker restoration display exhibits, customers ought to enter BitLocker Restoration Mode and skip all of the steps to get to Superior choices, which offers a command immediate that enables launching the decryption software.
Supply: Bitdefender
The researchers warn that the time to decrypt the info will depend on the system’s {hardware} and the complexity of the encryption and will take a while.
When carried out, the decryptor will unlock the drive and disable good card-based authentication.
Bitdefender notes that the decryptor solely works on Home windows 10, Home windows 11, and up to date Home windows Server variations and is only when used shortly after the ransomware assault, when BitLocker’s configurations usually are not totally overridden but and might be recovered.
Sadly, this technique is not going to work to get better BitLocker passwords created utilizing different strategies.