A new decryptor for the ‘ShrinkLocker’ ransomware strain has been released by Bitdefender, allowing victims to recover their files encrypted using Windows’ built-in BitLocker drive encryption tool. The malware was discovered in May 2024 and uses outdated techniques to lock victim’s files.
ShrinkLocker lacks sophistication compared to other ransomware families but integrates features that maximize damage. Its operators seem low-skilled, leaving behind reconnaissance logs and relying on readily available tools. Despite this, the threat actor has had successful attacks on corporate targets, including a recent healthcare organization hit.
In the attack, ShrinkLocker encrypted Windows 10, Windows 11, and Windows Server devices across the network, including backups, in just 2.5 hours. The organization lost access to critical systems, potentially facing difficulties in providing patient care.
Bitdefender’s decryptor can help ShrinkLocker victims recover their files by reversing the sequence in which the malware deletes and reconfigures BitLocker protectors. The tool uses a specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted disks.
To use the decryptor, ShrinkLocker victims need to download it on a USB drive connected to the impacted system. When the BitLocker recovery screen shows, users should enter BitLocker Recovery Mode and skip all steps to get to Advanced options, which provides a command prompt that allows launching the decryption tool.
However, the decryptor only works on Windows 10, Windows 11, and recent Windows Server versions, and its effectiveness depends on when it is used in relation to the ransomware attack.
Source: https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-decryptor-recovers-bitlocker-password