ShrinkLocker Uses Windows BitLocker Utility To Infect Computers

by Esmeralda McKenzie
ShrinkLocker Uses Windows BitLocker Utility To Infect Computers

ShrinkLocker Uses Windows BitLocker Utility To Infect Computers

ShrinkLocker Uses Windows BitLocker Utility To Infect Computer programs

Hackers exploit the Windows BitLocker tool, as this utility gives a extraordinarily extremely efficient tool for selectively encrypting gain entry to to the plan or files, which helps lock users out.

Attackers can employ BitLocker to encrypt the victim’s files, making them inaccessible without the predominant. Then, they put a matter to for cash outdated to revealing the predominant.

EHA

Then, they put a matter to for cash outdated to revealing the predominant, which fully acts as ransomware.

Kaspersky prognosis of “ShrinkLocker” cleverly leverages Windows’ built-in BitLocker full-disk encryption to lock victims out of their files.

ShrinkLocker Windows BitLocker

After encrypting native drives, it shrinks force partitions by 100MB to fabricate its possess boot partition, disables BitLocker restoration keys, and sends the encryption key to attackers.

On reboot, victims explore the usual BitLocker password instructed but can no longer gain entry to their plan, with force labels changed to the attacker’s electronic mail ransom address as a replace of a popular ransom show.

ShrinkLocker%20has%20blocked%20access%20to%20the%20drive%20with%20BitLocker%20(Source%20 %20Kaspersky)
ShrinkLocker has blocked gain entry to to the force with BitLocker (Source – Kaspersky)

ShrinkLocker is a advanced VBScript ransomware program that’s former to derive records on OS variations, prepare drives by lowering the dimension of partitions, and replace the Windows registry so that BitLocker is encrypted as specified by an attacker.

Additionally, it disables restoration keys, permits password protector for these keys, generates a password that shall be former in encrypting the force, and then uses it in encrypting the force.

The subsequent step is sending this password and plan files reduction to the attacker’s C2 server thru the Cloudflare subdomain, erasing itself from compromised computer programs, along with clearing all logs and restarting them so that victims are left at the BitLocker instructed with no formula to retrieve their files.

The attacks possess already been reported in Indonesia, Jordan, and Mexico.

Recommendations

Right here beneath we have talked about your total solutions:-

  • Implement the least privilege, restricting the capacity to alter the registry or enable full-disk encryption.
  • Allow HTTP POST put a matter to logging for web site web site visitors monitoring and possible password and key exfiltration detection.
  • Music and log VBS and PowerShell exercise, and retailer externally as malware might perchance maybe perchance moreover simply delete logs.
  • On a popular basis reduction up files to offline.
  • Narrate skilled endpoint security solutions.
  • Use EDR to video display and acknowledge to suspicious endpoint exercise.

Source credit : cybersecuritynews.com

Related Posts