Romanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware.
The decryptor is the result of a comprehensive analysis of ShrinkLocker's inner workings, allowing the researchers to discover a "specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted disks."
ShrinkLocker was first documented in May 2024 by Kaspersky, which found the malware's use of Microsoft's native BitLocker utility for encrypting files as part of extortion attacks targeting Mexico, Indonesia, and Jordan. It appears to have been adapted from benign ten-year-old code.
Bitdefender, which investigated a ShrinkLocker incident targeting an unnamed healthcare company in the Middle East, said the attack likely originated from a machine belonging to a contractor, once again highlighting how threat actors are increasingly abusing trusted relationships to infiltrate the supply chain.
In the next stage, the threat actor moved laterally to an Active Directory domain controller by making use of legitimate credentials for a compromised account, followed by creating two scheduled tasks for activating the ransomware process.
While the first task executed a Visual Basic Script ("Check.vbs") that copied the ransomware program to every domain-joined machine, the second task – scheduled for two days later — executed the locally deployed ransomware ("Audit.vbs").
The attack, Bitdefender said, successfully encrypted systems running Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019. That said, the ShrinkLocker variant used is said to be a modified version of the original version.
Described as simple yet effective, the ransomware stands out for the fact that it's written in VBScript, a scripting language that Microsoft said is being deprecated starting the second half of 2024. Plus, instead of implementing its own encryption algorithm, the malware weaponizes BitLocker to achieve its goals.
The script is designed to gather information about the system configuration and operating system, after which it attempts to check if BitLocker is already installed on a Windows Server machine, and if not, installs it using a PowerShell command and then performs a "forced reboot" using Win32Shutdown.
But Bitdefender said it noted a bug that causes this request to fail with a "Privilege Not Held" error, causing the VBScript to be stuck in an infinite loop due to an unsuccessful reboot attempt.
"Even if the server is rebooted manually (e.g. by an unsuspecting administrator), the script does not have a mechanism to resume its execution after the reboot, meaning that the attack may be interrupted or prevented," Martin Zugec, technical solutions director at Bitdefender, said.
The cybersecurity vendor told The Hacker News that the bug is present in all variants of ShrinkLocker, but that it only manifests in certain older operating systems.
"This loop is triggered in the cases when BitLocker is not installed," it said. "The script will try to install it, succeed, but then get stuck in a loop waiting for reboot. BitLocker is installed (not enabled/configured) on all client operating systems, so this impacts only older versions of server OS."
The ransomware script is also designed to generate a random password that's derived from system-specific information, such as network traffic, system memory, and disk utilization, using it to encrypt the system's drives. This is done so in an attempt to resist brute-force attempts.
The unique password is then uploaded to a server controlled by the attacker. Following the restart, the user is prompted to enter the password to unlock the encrypted drive. The BitLocker screen is also configured to display the threat actor's contact email address to initiate the payment in exchange for the password.
That's not all. The script makes several Registry modifications to restrict access to the system by disabling remote RDP connections and turning off local password-based logins. As part of its cleanup efforts, it also disables Windows Firewall rules and deletes audit files.
Bitdefender further pointed out that the name ShrinkLocker is misleading as the namesake functionality is limited to legacy Windows systems and that it doesn't actually shrink partitions on current operating systems.
"By using a combination of Group Policy Objects (GPOs) and scheduled tasks, it can encrypt multiple systems within a network in as little as 10 minutes per device," Zugec noted. "As a result, a complete compromise of a domain can be achieved with very little effort."
"Proactive monitoring of specific Windows event logs can help organizations identify and respond to potential BitLocker attacks, even in their early stages, such as when attackers are testing their encryption capabilities."
"By configuring BitLocker to store recovery information in Active Directory Domain Services (AD DS) and enforcing the policy "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives," organizations can significantly reduce the risk of BitLocker-based attacks."
(The story was updated after publication to include additional responses from Bitdefender.)