Kaspersky experts identify new ransomware using BitLocker to encrypt company data

Lina PortmanMay 27, 2024

0 2 minutes read

Kaspersky has identified ransomware attacks using Microsoft's BitLocker to attempt to encrypt corporate files. Malicious actors remove recovery options to prevent files from being restored and use a malicious script with a new functionality: it can detect specific Windows versions and enable BitLocker based on the Windows version. Incidents linked to this ransomware, called “ShrinkLocker”, and its variants have been observed in Mexico, Indonesia and Jordan. The perpetrators targeted steel and vaccine manufacturing companies, as well as a government entity.

The threat actors use VBScript – a programming language used to automate tasks on Windows computers – to create a malicious script with never-before-seen features to maximize the attack's damage, reports the Kaspersky Global Emergency Response team. What's new is that the script checks the current version of Windows installed on the system and enables BitLocker features accordingly. In this way, the script is supposed to be able to infect new and existing systems up to Windows Server 2008.

If the operating system version is suitable for the attack, the script modifies the boot settings and attempts to encrypt the entire drives using BitLocker. It establishes a new boot partition, essentially creating a separate section on the computer drive containing the files for booting the operating system. This action aims to lock out the victim at a later stage. Attackers also remove protectors used to secure BitLocker's encryption key so that the victim cannot recover them.

The malicious script then sends system information and the encryption key generated on the compromised computer to the server controlled by the threat actor. Then it covers its tracks by deleting logs and various files that serve as clues and help investigate an attack.

As a final step, malware forces a system shutdown – an ability aided by creating and reinstalling files in a separate boot partition. The victim sees the BitLocker screen with the message: “There are no more BitLocker recovery options on your PC.”

The message appearing on the victim's screen after a forced system shutdown

Kaspersky dubbed the script “ShrinkLocker”, as the name highlights the critical partition resizing procedure, which was essential for the attacker to ensure the system booted correctly with the encrypted files.

“What is particularly concerning about this case is that BitLocker, originally designed to mitigate the risk of data theft or exposure, has been repurposed by adversaries for malicious purposes. It is a cruel irony that a security measure has been weaponized in this way. For businesses using BitLocker, ensuring strong passwords and secure storage of recovery keys is crucial. Regular backups, kept offline and tested, are also essential guarantees,” explains Cristian Souza, Incident Response Specialist on Kaspersky's Global Emergency Response Team.