Whereas investigating a cybersecurity incident, Kaspersky’s consultants found new ransomware they’ve dubbed “ShrinkLocker”. An attention-grabbing function of this malware is that its creators artfully use the built-in capabilities of Home windows to lock down computer systems the malware has contaminated. Specifically, ShrinkLocker makes use of the usual full-disc encryption utility BitLocker to dam entry to the information.
What makes ShrinkLocker harmful?
Like most ransomware right now, ShrinkLocker encrypts the sufferer’s native drives to dam entry to their contents. What it primarily does is activate an ordinary safety function — BitLocker.
ShrinkLocker shrinks the pc’s drive partitions by 100 megabytes — therefore its title — and makes use of the freed-up house to create a boot partition for itself. Whereas it’s at it, it disables each BitLocker key-recovery mechanism, and sends the important thing that was used for the drives’ encryption to the attacker’s server.
After the person restarts the pc, they’re offered with the usual BitLocker password immediate. For the reason that person is now unable to start out the system, ShrinkLocker modifications the labels of all system drives to the attacker’s electronic mail tackle as an alternative of leaving a ransom notice.
How ShrinkLocker works
ShrinkLocker is applied as a fancy VBScript. It begins by gathering details about the working system — primarily, its model. If the script finds that it’s working on Home windows 2000, XP, 2003, or Vista, it shuts down. For newer editions of Home windows, it runs elements of its code which might be optimized for the related working system.
Subsequent, it runs preparatory operations on the native drives as talked about above, and modifies a number of registry keys to configure the system for working BitLocker easily with the settings that the attacker requires.
ShrinkLocker writes the attacker’s electronic mail tackle to the amount label
Then it disables and removes all default BitLocker protectors to stop key restoration, and allows the numerical password-protector possibility.
The script then generates this password and initiates encryption of all native drives utilizing the newly created password. After this, ShrinkLocker sends an HTTP POST request containing the password and system info to the attacker’s command-and-control server.
To masks the precise server tackle, the menace actor makes use of a number of trycloudflare.com subdomains. It is a authentic area owned by CloudFlare and designed for web site builders to check web site site visitors tunneling capabilities.
In its closing phases, ShrinkLocker covers its tracks by eradicating its information from the drive, clearing Home windows PowerShell logs, and so forth. Lastly, the script restarts the system.
If the person tries selecting a restoration possibility whereas the machine is booting up, they get a message stating that no BitLocker restoration choices can be found.
ShrinkLocker has blocked entry to the drive with BitLocker, and no restoration choices can be found
Relating to the geographical distribution of infections, our researchers have noticed ShrinkLocker and its modifications in Indonesia, Jordan, and Mexico. You’ll find extra particulars in regards to the ShrinkLocker modus operandi in our report on Securelist.
Tips on how to shield your self from ShrinkLocker
Listed here are some suggestions for the best way to shield towards ShrinkLocker and different ransomware threats:
- Apply the precept of least privilege. Specifically, customers shouldn’t be given permissions to change the registry or allow full-volume encryption.
- Allow site visitors monitoring. Along with HTTP GET requests, it’s additionally useful to log HTTP POST. In case of an infection, requests to the attacker’s C&C server might comprise passwords and keys.
- Monitor occasions related to VBS and PowerShell execution. Save scripts and instructions you uncover to exterior storage, because the malware might delete your native logs.
- Again up your knowledge often. Use offline storage for backups and confirm their integrity.
- Use a dependable safety resolution on all company units. For instance, Kaspersky Endpoint Safety for Enterprise detects ShrinkLocker with the verdicts Trojan.VBS.SAgent.gen, Trojan-Ransom.VBS.BitLock.gen, and Trojan.Win32.Generic.
- Use EDR (Endpoint Detection and Response) options to observe suspicious exercise in your company community.
