'ShrinkLocker' ransomware uses BitLocker against you — encryption-craving malware has already been used against governments

BitLocker hardware encryption tested
(Image credit: Microsoft)

BitLocker has been weaponized again by the new "ShrinkLocker" ransomware attack. The attack uses novel methods to make a classic BitLocker attack more pervasive and dangerous than ever before, and it has already been used against governments and manufacturing industries. 

Kaspersky, known for its Kaspersky Anti-Virus and class-leading malware research, identified the new strain in Mexico, Indonesia, and Jordan, so far only against enterprise PCs. Attacks using BitLocker, an optional Windows feature that encrypts PC hard drives commonly used in the enterprise world, are not new. But ShrinkLocker is unique thanks to new innovations.

ShrinkLocker uses VBScript, an old Windows programming script set to deprecate starting with Windows 11 24H2, to identify the specific Windows OS used by the host PC. A malicious script then runs through BitLocker setup specific to the operating system, and enables BitLocker accordingly on any PC running Vista or Windows Server 2008 or newer. If the OS is too old, ShrinkLocker deletes itself without a trace. 

ShrinkLocker then shrinks all drive partitions by 100MB and uses the stolen space to create a new boot partition, hence "Shrink" Locker. ShrinkLocker also deletes all protectors used to secure the encryption key, making it unrecoverable by the victim later. The script creates a new random 64-character encryption key, sends it and other information about the computer to the attacker, deletes the logs that stored ShrinkLocker's activity, and finally forces a shut-down of the PC, using the newly created boot partition to fully lock and encrypt all drives on the PC. The PC and every byte of data on it is now fully unusable.

The attack leaves its targets floundering, with bricks for hard drives. The creator of the ShrinkLocker attack must have had an "extensive understanding" of a variety of obscure Windows internals and utilities to craft the attack, which left almost no trace. Kaspersky's experts could not find any way to identify the source of the attack or the source where information was sent, but they did find the ShrinkLocker script left behind on the single drive of one affected PC that did not have BitLocker configured. 

For a ransomware attack, the attacker also did not make it easy to find where to send the ransom in question. The script changes the name of the new boot partitions to the attacker's email, but this requires more digging to spot than simply editing the BitLocker recovery screen, an easy enough task for a hacker of this caliber. This makes it likely that the attack is focused more on disruption and data destruction than ransom. 

IT professionals will already be familiar with mitigation steps for these attacks: Make frequent backups, restrict users' editing privileges so they cannot edit their BitLocker settings or registries, and seek out high-level EPP or MDR solutions to track and secure your network. Kaspersky obviously suggests their own products for this in their technical report on the attack. 

For the full details of the attack and the ShrinkLocker script, Kaspersky has a full technical analysis. While BitLocker is currently only a feature of "Pro" or enterprise Windows releases, Microsoft will enable BitLocker for all users starting with Windows 11 24H2, and automatically activate it on reinstallation, so beware of BitLocker attacks making a move to the individual PC world. 

Dallin Grimm
Contributing Writer

Dallin Grimm is a contributing writer for Tom's Hardware. He has been building and breaking computers since 2017, serving as the resident youngster at Tom's. From APUs to RGB, Dallin has a handle on all the latest tech news. 

  • JamesJones44
    Why isn't BitLocker a root level operation? I'll never understand why Microsoft can't get basic user level vs root level execution right. Setting up BitLocker should be a root level operation, requiring a root password to execute (or I guess in Window's case a popup).
    Reply
  • Alvar "Miles" Udell
    If only Microsoft would poach the age old Linux security measure of requiring the administrator password before changes are made (annoying, but quite secure)...Though any enterprise level system should be setup to be run with a very limited user account anyway which would prevent this as well...
    Reply
  • randomizer
    If the OS is too old, ShrinkLocker deletes itself without a trace.

    At least the attacker is tidy.
    Reply
  • USAFRet
    Alvar Miles Udell said:
    If only Microsoft would poach the age old Linux security measure of requiring the administrator password before changes are made (annoying, but quite secure)...Though any enterprise level system should be setup to be run with a very limited user account anyway which would prevent this as well...
    "requiring the administrator password before changes are made"

    What changes?
    Reply
  • Sleepy_Hollowed
    I feel like this might become a huge thing since they required everyone to have TPM and Bitlocker for Windows 11 and beyond.
    Reply
  • rluker5
    At least a vital component of this attack - VBScript is getting depreciated at the same time BitLocker is becoming default enabled.
    Reply
  • CmdrShepard
    A malicious script then runs through BitLocker setup specific to the operating system, and enables BitLocker accordingly on any PC running Vista or Windows Server 2008 or newer.
    If I am not mistaken you can't change BitLocker settings if you don't have admin rights.
    Reply
  • I think to bypass the Bitlocker it appears that "ShrinkLocker" has modified several registry entries related to BitLocker and system security. These changes allowed it to turn on BitLocker, even if the device lacks a Trusted Platform Module chip.

    If I'm NOT mistaken, and after going through the original findings by the researchers, these attackers were able to deploy and run an advanced VBS script that took advantage of BitLocker for unauthorized file encryption.

    The script added the following registry entries. If the script detects an error, it then restarts the system.
    fDenyTSConnections = 1: disables RDP connections;
    scforceoption = 1: enforces smart card authentication;
    UseAdvancedStartup = 1: requires the use of the BitLocker PIN for pre-boot authentication;
    EnableBDEWithNoTPM = 1: allows BitLocker without a compatible TPM chip;
    UseTPM = 2: allows the use of TPM if available;
    UseTPMPIN = 2: allows the use of a startup PIN with TPM if available;
    UseTPMKey = 2: allows the use of a startup key with TPM if available;
    UseTPMKeyPIN = 2: allows the use of a startup key and PIN with TPM if available;
    EnableNonTPM = 1: allows BitLocker without a compatible TPM chip, requires a password or startup key on a USB flash drive;
    UsePartialEncryptionKey = 2: requires the use of a startup key with TPM;
    UsePIN = 2: requires the use of a startup PIN with TPM.
    The malware also seems to disable the protectors used to secure BitLocker's encryption key and deletes them.

    Having completed the deletion, it enables the use of a numerical password as a protector and the encryption feature.

    https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/22153931/Bitlocker_abuse_12.png

    It appears the hack successfully recovers the BitLocker keys, generates a random password, and then this information is sent back to the attacker(s).

    As shown here, the code has actually converted the previously generated encryption key to a secure string—a PowerShell option that prevents creating a string object in memory, and the effectively enables BitLocker on the drives.
    https://i.imgur.com/L801bKe.png

    .
    Reply
  • hannibal
    ... Should I turn of the internet connection...
    This is big!
    Reply
  • Alvar "Miles" Udell
    USAFRet said:
    "requiring the administrator password before changes are made"

    What changes?
    Any changes. Installing software, changing system settings, even installing system updates requires the administrator password.
    Reply