In a concerning development, a new form of ransomware called ShrinkLocker has surfaced, utilizing the BitLocker feature of the Windows operating system for data encryption. While BitLocker has long been used by users to encrypt entire hard drives and safeguard data, ShrinkLocker takes advantage of this tool to carry out unauthorized encryption.

BitLocker was introduced in 2007 with the release of Windows Vista and has since become a widely used full-volume encryptor. With the rollout of Windows 10, BitLocker upgraded its encryption algorithm to the more secure 128-bit and 256-bit XTS-AES, adding an extra layer of protection against attacks that try to manipulate cipher text.

Researchers from cybersecurity firm Kaspersky recently discovered ShrinkLocker being employed by threat actors to encrypt data in Mexico, Indonesia, and Jordan. The name "ShrinkLocker" was given to this ransomware due to its utilization of BitLocker as well as its tendency to shrink the size of non-boot partitions and divide the unallocated space into new primary partitions of the same size.

The incident highlights the constantly evolving tactics of attackers to circumvent detection. Kaspersky's incident response and malware analysis confirmed the abuse of the native BitLocker feature for unauthorized data encryption. This is not the first instance of malware leveraging BitLocker, as Microsoft reported similar attacks in 2022 by ransomware actors with connections to Iran.

Upon installation, ShrinkLocker executes a VisualBasic script, using Windows Management Instrumentation and the Win32_OperatingSystem class to gather information about the operating system. The script performs various checks and operations depending on the detected Windows version. Remarkably, the ransomware specifically targets local, fixed drives, avoiding network drives to evade network detection protections.

As part of its encryption process, ShrinkLocker disables BitLocker's key protections and deletes them, later replacing them with a numerical password. Additionally, the ransomware generates a unique 64-character encryption key using random multiplication and replacement techniques. Decrypting affected drives without the attacker's key is predicted to be extremely difficult, if not impossible, due to the use of variable values that vary on each infected device.

To combat potential attacks, Kaspersky offers the following recommendations: employ robust and properly configured endpoint protection that can detect BitLocker abuse; implement Managed Detection and Response (MDR) to proactively scan for threats; ensure BitLocker uses a strong password and securely store its recovery keys; restrict user privileges to prevent unauthorized encryption or registry changes; enable network traffic logging and monitoring, paying attention to password-containing requests to attackers' domains; monitor and store VBS and PowerShell executions for potential deletion; and lastly, regularly back up data offline and perform testing.

The report by Kaspersky also provides indicators that organizations can use to determine if they have fallen victim to the ShrinkLocker ransomware. This recent discovery serves as a stark reminder of the ongoing efforts of cybercriminals to exploit vulnerabilities in popular security features. It underlines the importance of using proper safeguards and implementing proactive security measures to protect against evolving threats.