ShrinkLocker ransomware exploits Windows BitLocker, a powerful encryption tool, to lock users out of their files. This malware encrypts local drives and then reduces drive partitions by 100MB to create a boot partition for itself. It disables BitLocker recovery keys and sends the encryption key to the attackers, who then demand a ransom for its return.
Upon reboot, victims encounter the standard BitLocker password prompt but cannot access their systems. Instead of a typical ransom note, drive labels display the attacker’s email address, further complicating the recovery process. The ransomware uses VBScript to manage OS information, prepare drives, and alter the Windows registry to enforce its encryption.
ShrinkLocker disables recovery keys, generates a password for encryption, and then uses this password to lock the drives. It sends system data and the encryption password to the attackers’ command and control server via a Cloudflare subdomain, and then erases itself from the compromised computer, including clearing all logs.
The ransomware has been reported in various locations, including Indonesia, Jordan, and Mexico. This sophisticated approach to ransomware highlights the increasing complexity of cyber threats and the challenges they pose for data recovery and security.
Reference:
