'ShrinkLocker' ransomware uses BitLocker against you — encryption-craving malware has already been used against governments

Dallin Grimm
·3 min read
BitLocker hardware encryption tested.
BitLocker hardware encryption tested.

BitLocker has been weaponized again by the new "ShrinkLocker" ransomware attack. The attack uses novel methods to make a classic BitLocker attack more pervasive and dangerous than ever before, and it has already been used against governments and manufacturing industries.

Kaspersky, known for its Kaspersky Anti-Virus and class-leading malware research, identified the new strain in Mexico, Indonesia, and Jordan, so far only against enterprise PCs. Attacks using BitLocker, an optional Windows feature that encrypts PC hard drives commonly used in the enterprise world, are not new. But ShrinkLocker is unique thanks to new innovations.

ShrinkLocker uses VBScript, an old Windows programming script set to deprecate starting with Windows 11 24H2, to identify the specific Windows OS used by the host PC. A malicious script then runs through BitLocker setup specific to the operating system, and enables BitLocker accordingly on any PC running Vista or Windows Server 2008 or newer. If the OS is too old, ShrinkLocker deletes itself without a trace.

ShrinkLocker then shrinks all drive partitions by 100MB and uses the stolen space to create a new boot partition, hence "Shrink" Locker. ShrinkLocker also deletes all protectors used to secure the encryption key, making it unrecoverable by the victim later. The script creates a new random 64-character encryption key, sends it and other information about the computer to the attacker, deletes the logs that stored ShrinkLocker's activity, and finally forces a shut-down of the PC, using the newly created boot partition to fully lock and encrypt all drives on the PC. The PC and every byte of data on it is now fully unusable.

The attack leaves its targets floundering, with bricks for hard drives. The creator of the ShrinkLocker attack must have had an "extensive understanding" of a variety of obscure Windows internals and utilities to craft the attack, which left almost no trace. Kaspersky's experts could not find any way to identify the source of the attack or the source where information was sent, but they did find the ShrinkLocker script left behind on the single drive of one affected PC that did not have BitLocker configured.

For a ransomware attack, the attacker also did not make it easy to find where to send the ransom in question. The script changes the name of the new boot partitions to the attacker's email, but this requires more digging to spot than simply editing the BitLocker recovery screen, an easy enough task for a hacker of this caliber. This makes it likely that the attack is focused more on disruption and data destruction than ransom.

IT professionals will already be familiar with mitigation steps for these attacks: Make frequent backups, restrict users' editing privileges so they cannot edit their BitLocker settings or registries, and seek out high-level EPP or MDR solutions to track and secure your network. Kaspersky obviously suggests their own products for this in their technical report on the attack.

For the full details of the attack and the ShrinkLocker script, Kaspersky has a full technical analysis. While BitLocker is currently only a feature of "Pro" or enterprise Windows releases, Microsoft will enable BitLocker for all users starting with Windows 11 24H2, and automatically activate it on reinstallation, so beware of BitLocker attacks making a move to the individual PC world.