Romanian cybersecurity company Bitdefender has developed a free decryptor to help victims recover their data encrypted by the ShrinkLocker ransomware. The decryptor, which is based on a comprehensive analysis of ShrinkLocker’s inner workings, allows researchers to identify a “window of opportunity” for data recovery immediately after removing protectors from BitLocker-encrypted disks.
ShrinkLocker was first discovered in May 2024 by Kaspersky, and since then, multiple attacks have been reported targeting Mexico, Indonesia, Jordan, and other regions. The malware uses Microsoft’s native BitLocker utility to encrypt files as part of extortion attacks.
Bitdefender investigated a ShrinkLocker incident that targeted an unnamed healthcare company in the Middle East, which was likely carried out by a contractor’s machine. The attack involved using legitimate credentials for a compromised account, followed by creating scheduled tasks to activate the ransomware process.
The ShrinkLocker variant is a modified version of the original and stands out for being written in VBScript, a language that Microsoft said will be deprecated starting 2024. Instead of implementing its own encryption algorithm, the malware uses BitLocker to achieve its goals.
The script attempts to gather information about the system configuration and operating system, then installs BitLocker if it’s not already present on a Windows Server machine. However, this request fails with a “Privilege Not Held” error, causing an infinite loop.
To mitigate this issue, users can manually reboot their systems before attempting to run the script, as even then, the ransomware may still be interrupted or prevented.
The ShrinkLocker ransomware generates a random password derived from system-specific information and uses it to encrypt system drives. The password is then uploaded to an attacker-controlled server. Following the restart, users are prompted to enter the password to unlock their encrypted drive.
Bitdefender has warned that the script makes several Registry modifications to restrict access to the system and disables Windows Firewall rules. It also deletes audit files and sets up a contact email address for payment in exchange for the password.
The company notes that the ShrinkLocker name is misleading, as it doesn’t actually shrink partitions on current operating systems. Instead, it can encrypt multiple systems within a network in just 10 minutes per device using Group Policy Objects (GPOs) and scheduled tasks.
Source: https://thehackernews.com/2024/11/free-decryptor-released-for-bitlocker.html