Bitdefender has released a free decryption tool designed to help victims recover data encrypted by the ShrinkLocker ransomware. This breakthrough comes after researchers identified a crucial vulnerability in the ransomware’s encryption process, specifically during the removal of protectors from BitLocker-encrypted disks.
Understanding ShrinkLocker’s Operation
First identified by Kaspersky in May 2024, ShrinkLocker has targeted organizations across Mexico, Indonesia, and Jordan. The ransomware’s distinctive approach involves leveraging Microsoft’s native BitLocker utility for encryption purposes, making it particularly dangerous for enterprise environments.
Bitdefender’s investigation, which focused on an attack against a healthcare organization in the Middle East, revealed that the infection typically begins through compromised contractor systems, emphasizing the growing trend of supply chain attacks. The attackers employ a two-stage approach, first compromising an Active Directory domain controller using stolen credentials, then deploying two scheduled tasks to orchestrate the encryption process.
Technical Analysis and Implementation
What makes ShrinkLocker unique is its implementation in VBScript, a programming language Microsoft plans to deprecate in late 2024. The ransomware demonstrates effectiveness across multiple Windows versions, including Windows 10, 11, and Server editions 2016 and 2019.
Attack Sequence
- System configuration assessment
- BitLocker installation verification
- Random password generation based on system metrics
- Drive encryption using the generated password
- Registry modifications to restrict system access
Notable Vulnerabilities and Protection Measures
Despite its sophistication, researchers identified a significant bug in ShrinkLocker’s execution. The ransomware can enter an infinite loop due to a “Privilege Not Held” error during the forced reboot process, potentially providing defenders with an opportunity to interrupt the attack.
Bitdefender’s technical solutions director, Martin Zugec, notes that while the ransomware can encrypt network systems rapidly (approximately 10 minutes per device), organizations can implement protective measures by:
- Monitoring Windows event logs for suspicious BitLocker activity
- Configuring BitLocker to store recovery information in Active Directory Domain Services
- Enforcing policies requiring recovery information storage before enabling BitLocker
