Washington state was recently hit by a new strain of ransomware known as ShrinkLocker, which utilizes the BitLocker encryption feature found in Windows operating systems. This ransomware variant, discovered by researchers from the security firm Kaspersky, uses BitLocker to encrypt victim data in countries like Mexico, Indonesia, and Jordan.
BitLocker, introduced in 2007 with Windows Vista, is a full-volume encryptor that allows users to encrypt entire hard drives to protect data from unauthorized access. With the release of Windows 10, BitLocker enhanced its security measures by implementing the 128-bit and 256-bit XTS-AES encryption algorithm to prevent attacks that manipulate cipher text to make predictable changes in plain text.
ShrinkLocker gets its name from not only its use of BitLocker but also because it shrinks non-boot partitions by 100 MB and creates new primary partitions of the same size from the unallocated space. The ransomware operated stealthily by using VisualBasic scripts to gather information about the operating system, perform disk resizing operations based on the OS version detected, and disable protections meant to secure the BitLocker encryption key.
To protect against attacks like ShrinkLocker, Kaspersky recommends implementing robust endpoint protection, utilizing Managed Detection and Response (MDR) services, storing BitLocker recovery keys securely, restricting user privileges, enabling network traffic logging, monitoring VBS and PowerShell execution events, making frequent offline backups, and testing them regularly. These measures can help organizations detect and prevent ransomware attacks leveraging BitLocker.
In a time where cyber threats are evolving rapidly, it is crucial for organizations and individuals to stay vigilant and proactive in securing their data. By following best practices and maintaining a strong defense against ransomware attacks, users can mitigate the risks posed by malicious actors looking to exploit vulnerabilities in operating systems for unauthorized data encryption.