“ShrinkLocker: The Latest Ransomware Threat Exploiting Microsoft BitLocker for Maximum Damage”
Ransomware using Microsoft BitLocker to encrypt corporate files and extort payment
The antivirus maker’s Global Emergency Response team spotted the malware, dubbed ShrinkLocker, in Mexico, Indonesia, and Jordan, and said the code’s unnamed operators targeted steel and vaccine manufacturing companies, plus a government entity. Criminals, including ransomware gangs, using legitimate software tools is nothing new — hello, Cobalt Strike.
And, in fact, Microsoft previously said Iranian bad actors had abused Windows’ built-in BitLocker full-volume encryption feature to lock up compromised devices. We can recall other strains of ransomware using BitLocker on infected machines to encrypt data and hold it to ransom.
With ShrinkLocker, however, More and more ransomware attacks are utilizing Microsoft BitLocker as a means to encrypt corporate files, steal the decryption key, and then extort a payment from victim organizations. This alarming trend has been identified by Kaspersky, a leading antivirus maker, whose Global Emergency Response team recently discovered a new malware called ShrinkLocker.
This malicious code has been observed in countries such as Mexico, Indonesia, and Jordan, and its operators have specifically targeted steel and vaccine manufacturing companies, as well as a government entity.
The use of legitimate software tools by criminals, including ransomware gangs, is not a new phenomenon. For instance, the notorious Cobalt Strike has been widely employed for malicious purposes. Additionally, Microsoft has previously acknowledged that Iranian cybercriminals had exploited the built-in BitLocker full-volume encryption feature in Windows to lock compromised devices. There have also been previous instances of ransomware strains using BitLocker to encrypt data on infected machines and hold it for ransom.
However, what sets ShrinkLocker apart is the fact that its operators have taken additional steps to maximize the damage caused by the attack and hinder an effective response. Kaspersky’s threat hunters, Cristian Souza, Eduardo Ovalle, Ashley Muñoz, and Christopher Zachor, explained in their research that the adversaries behind ShrinkLocker have implemented techniques that make it more difficult to detect and block the malware variants.
The technical details provided in Kaspersky’s write-up offer valuable insights into how ShrinkLocker can be detected and blocked. This information is crucial for organizations looking to protect themselves against this particular ransomware threat. By understanding the specific indicators of compromise and the behavior patterns exhibited by ShrinkLocker, security teams can enhance their defenses and respond more effectively to an attack.
The rise of ransomware attacks using BitLocker highlights the need for organizations to remain vigilant and proactive in their cybersecurity efforts. It is no longer enough to rely solely on traditional security measures. Instead, a multi-layered approach that combines advanced threat detection technologies, employee education, and regular backups is essential.
Organizations must ensure that their security solutions are up to date and capable of detecting and mitigating emerging threats. Regular patching and vulnerability management are crucial in preventing attackers from exploiting known weaknesses in software and systems.
The increasing use of Microsoft BitLocker by ransomware operators to encrypt corporate files and extort payment is a concerning development. The discovery of ShrinkLocker by Kaspersky’s Global Emergency Response team highlights the need for organizations to remain vigilant and proactive in their cybersecurity efforts. By staying informed about the latest threats and implementing robust security measures, organizations can better protect themselves against this evolving threat landscape.