A new ransomware is hijacking Windows BitLocker to encrypt and steal files

News
By
published

New ransomware strain is creating new boot volumes

Ransomware
Image credit: Shutterstock (Image credit: Shutterstock)

Cybersecurity researchers have uncovered a new ransomware strain that abuses Windows BitLocker to lock victims out of their devices.

As reported by BleepingComputer, Kaspersky dubbed the new ransomware ShrinkLocker because once it hits, it shrinks available non-boot partitions by 100 MB and creates new primary boot volumes of the same size. Then it uses BitLocker, a full disk encryption feature included with some versions of Microsoft Windows, to encrypt the files on the target endpoint. 

It has so far been seen hitting government agencies, and firms in manufacturing and pharmaceuticals.

Maximum damage

For the uninitiated, BitLocker is a legitimate Windows feature, designed to protect data by providing encryption for entire volumes.

ShrinkLocker is not the first ransomware variant that uses BitLocker to encrypt the systems. BleepingComputer stressed that a hospital in Belgium was struck with a ransomware strain that used BitLocker to encrypt 100TB of data on 40 servers, and in 2022, a meat producer and distributor in Russia called Miratorg Holding, suffered a similar fate. 

But ShrinkLocker also comes "with previously unreported features to maximize the damage of the attack," Kaspersky warned.

Among other things, the encryptor does not drop a ransom note, which is standard practice. Instead, it labels new boot partitions as email addresses, likely inviting the victims to try and communicate that way.

Furthermore, following the successful encryption, the ransomware will delete all BitLocker protectors, denying the victims any options to recover the BitLocker encryption key. The only person(s) holding the key are the attackers, which obtain it through TryCloudflare. This is also a legitimate tool, which developers use to test CloudFlare’s tunnel, without needing to add a site to CloudFlare’s DNS.

So far, the unnamed threat actors compromised systems belonging to steel and vaccine manufacturing organizations in Mexico, Indonesia, and Jordan.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.