New Ransomware Threat: ShrinkLocker Hijacks BitLocker for Corporate Attacks

Experts at Kaspersky Lab have identified attacks on corporate devices using a new ransomware program called ShrinkLocker, which exploits BitLocker. BitLocker is a security feature in Windows that protects data through encryption. The targets of these attacks include industrial and pharmaceutical companies, as well as government institutions.

The attackers developed a malicious script in VBScript. This script checks the Windows version installed on the device and activates the appropriate BitLocker functionality. ShrinkLocker can infect both new and old versions of the OS, up to Windows Server 2008.

The script modifies the operating system’s boot parameters and then attempts to encrypt the hard disk partitions using BitLocker. A new boot partition is created to enable the loading of the encrypted computer later. The attackers also remove security tools used to protect the BitLocker encryption key, preventing the user from restoring them.

Subsequently, the malicious script sends system information and the encryption key generated on the infected computer to the attackers’ server. It then “covers its tracks” by deleting logs and various files that could aid in investigating the attack.

In the final stage, ShrinkLocker forcibly blocks access to the system. The victim sees a message on the screen: “There are no BitLocker recovery options on your computer.”

Kaspersky experts recommend that companies use strong passwords, securely store BitLocker keys, back up data, and implement solutions for early threat detection and incident investigation.