Bitdefender has released a free decryptor to assist victims affected by the ShrinkLocker ransomware, which first emerged in May 2024. ShrinkLocker uses Microsoft’s BitLocker encryption tool to lock files, a tactic that has been increasingly used by attackers in extortion schemes. The decryptor was developed after Bitdefender’s extensive investigation into the malware’s operations, which revealed a specific window for data recovery right after the BitLocker protectors are removed from the encrypted disks. This breakthrough is a result of Bitdefender’s analysis of a ShrinkLocker attack that targeted a healthcare organization in the Middle East, highlighting how trusted contractor relationships are increasingly being exploited in cyberattacks.
ShrinkLocker’s attack begins when a Visual Basic Script (VBS) is executed across domain-joined machines. The script’s first task copies the ransomware onto all targeted systems, while the second task, triggered two days later, deploys the ransomware. This malware targets Windows 10, Windows 11, and Windows Server versions, taking advantage of BitLocker’s encryption capabilities instead of using its own encryption algorithm. The script first checks if BitLocker is installed on the machine; if not, it installs it and then forces a system reboot to initiate the attack. This method allows the malware to quickly lock the system’s files, demanding a ransom in exchange for a password to unlock them.
However, Bitdefender uncovered a flaw in ShrinkLocker’s process: a bug in the system causes the reboot step to fail with a “Privilege Not Held” error, which can halt the ransomware attack if the system is rebooted manually. Despite this vulnerability, the attack remains dangerous, as it can spread rapidly across networks, with encryption occurring on multiple systems within minutes. Bitdefender noted that the ransomware’s use of Group Policy Objects (GPOs) and scheduled tasks allowed the malware to compromise entire networks quickly, emphasizing the risk to businesses that may not detect the attack in time.
To mitigate the risk of such attacks, Bitdefender advises organizations to monitor specific Windows event logs for signs of BitLocker exploitation and configure systems to store recovery information in Active Directory Domain Services (AD DS). This practice can reduce the risk of BitLocker-based attacks and make it harder for ransomware to succeed in encrypting critical files. By enforcing the policy that recovery information must be stored before enabling BitLocker, organizations can improve their defense against such extortion-based malware.
