A new ransomware is hijacking Windows BitLocker to encrypt and steal files

Celebrity Gig

Cybersecurity researchers have uncovered a new ransomware strain that abuses Windows BitLocker to lock victims out of their devices.

As reported by BleepingComputer, Kaspersky dubbed the new ransomware ShrinkLocker because once it hits, it shrinks available non-boot partitions by 100 MB and creates new primary boot volumes of the same size. Then it uses BitLocker, a full disk encryption feature included with some versions of Microsoft Windows, to encrypt the files on the target endpoint. 

READ ALSO:  Don't steal another person’s man because it’s Valentine’s Day

It has so far been seen hitting government agencies, and firms in manufacturing and pharmaceuticals.

Maximum damage

For the uninitiated, BitLocker is a legitimate Windows feature, designed to protect data by providing encryption for entire volumes.

ShrinkLocker is not the first ransomware variant that uses BitLocker to encrypt the systems. BleepingComputer stressed that a hospital in Belgium was struck with a ransomware strain that used BitLocker to encrypt 100TB of data on 40 servers, and in 2022, a meat producer and distributor in Russia called Miratorg Holding, suffered a similar fate. 

READ ALSO:  US seizes internet domains allegedly used by Russian hackers

But ShrinkLocker also comes “with previously unreported features to maximize the damage of the attack,” Kaspersky warned.

Among other things, the encryptor does not drop a ransom note, which is standard practice. Instead, it labels new boot partitions as email addresses, likely inviting the victims to try and communicate that way.

Furthermore, following the successful encryption, the ransomware will delete all BitLocker protectors, denying the victims any options to recover the BitLocker encryption key. The only person(s) holding the key are the attackers, which obtain it through TryCloudflare. This is also a legitimate tool, which developers use to test CloudFlare’s tunnel, without needing to add a site to CloudFlare’s DNS.

So far, the unnamed threat actors compromised systems belonging to steel and vaccine manufacturing organizations in Mexico, Indonesia, and Jordan.

More from TechRadar Pro

Categories

Share This Article
Leave a comment