Cybersecurity researchers recently uncovered a new strain of ransomware that utilises Windows BitLocker to lock users out of their devices. Dubbed ShrinkLocker by Kaspersky, this ransomware has been observed targeting government agencies and firms in the manufacturing and pharmaceutical sectors.
How ShrinkLocker works
When ShrinkLocker infects a system, it shrinks available non-boot partitions by 100 MB and creates new primary boot volumes of the same size. It then uses BitLocker, a feature in some versions of Microsoft Windows, to encrypt the files on the device.
Unlike other ransomware variants, ShrinkLocker does not leave a ransom note. Instead, it labels new boot partitions with email addresses, presumably encouraging victims to communicate through this channel. Additionally, ShrinkLocker deletes all BitLocker protectors after encrypting the files, leaving victims with no way to recover the encryption key. The attackers hold the key, obtained through TryCloudflare, a legitimate tool developers use to test CloudFlare’s tunnel without adding a site to CloudFlare’s DNS.
Previous incidents of BitLocker-based attacks
While ShrinkLocker is not the first ransomware to use BitLocker, it does introduce new features to increase the attack’s impact. In the past, a hospital in Belgium fell victim to a ransomware strain that encrypted 100 TB of data on 40 servers using BitLocker. Similarly, Miratorg Holding, a meat producer and distributor in Russia, suffered a similar fate in 2022.
International impact
ShrinkLocker has already affected organisations in Mexico, Indonesia, and Jordan, including steel and vaccine manufacturing companies. The full extent of the damage caused by this ransomware is yet to be determined.