2024-09-05 SHRINKLOCKER (Bitlocker) Ransomware Samples
ShrinkLocker is a newly discovered ransomware strain that exploits BitLocker, a legitimate Windows feature, to encrypt data by locking users out of their systems. Unlike traditional ransomware, ShrinkLocker leverages BitLocker's secure boot partition to make decryption extremely challenging. The malware initiates its attack by identifying the operating system and determining whether it’s a suitable target. It modifies key system registry settings, particularly those related to Remote Desktop Protocol (RDP) and Trusted Platform Module (TPM), to suit its objectives. After disabling BitLocker key protectors, ShrinkLocker shrinks non-boot partitions by 100MB, formats these partitions, and reconfigures boot files to destabilize the system, potentially rendering it irreparable. The malware also exfiltrates data to a command-and-control server and attempts to erase traces of its activity by deleting logs, firewall rules, and scheduled tasks.
32f31b35179bbff9ca9dd21b43bfc3e585baafedde523bd3e4869400ab0362cb Dim oShell.txt (vba)
7662aeae889c350bdabdcc89ccc4c117e0fffdc06933dd7058946fa74a0842bb run.vbs