A decryptor for the ShrinkLocker ransomware has been released by Bitdefender following months of concern from incident responders about attacks involving the malware. 

Bitdefender published a lengthy research blog alongside the decryptor explaining in detail how the ransomware works. The strain uses Microsoft’s BitLocker to encrypt files and then removes recovery options. 

“ShrinkLocker is a novel ransomware strain that leverages a unique approach to encrypt systems. By exploiting BitLocker, a legitimate Windows feature, it can rapidly encrypt entire drives, including system drives,” the company explained. 

The company’s work began with an investigation into an incident involving a healthcare company in the Middle East in which the attackers targeted an unmanaged device before moving laterally within the system and deploying ShrinkLocker. 

The ransomware strain emerged earlier this year when researchers at several companies warned that the relatively crude tool was being used by cybercriminals. Kaspersky observed the ransomware in May targeting organizations in Mexico, Indonesia and Jordan, affecting industries including steel and vaccine manufacturing, as well as a government entity.

“Unlike most modern ransomware, which relies on sophisticated encryption algorithms, ShrinkLocker takes a simpler, more unconventional approach,” Bitdefender said.

“It first checks if BitLocker is enabled and, if not, installs it. Then, it re-encrypts the system using a randomly generated password.” 

Upon rebooting, the user is asked to enter the password in order to unlock the drive, at which point the attacker’s contact is displayed, with directions to pay a ransom in exchange for a decryption key. 

In some instances, the ransomware can encrypt multiple systems within 10 minutes per device, according to Bitdefender. 

The simplicity of the tool has made it attractive to lower-level cybercriminals disinterested in taking part in larger ransomware-as-a-service operations. The barrier to entry for using and modifying ShrinkLocker is relatively low, the researchers said, making it accessible to a wider range of attackers. 

“Our analysis shows that ShrinkLocker malware is being adapted by multiple individual threat actors for simpler attacks, rather than being distributed through a ransomware-as-a-service (RaaS) model,” they said. 

The ransomware is built to be executed on legacy systems like Windows 7 and 8 or Windows Server 2008 and 2012.

When it emerged in May, Kaspersky’s Cristian Souza warned in a press release that BitLocker was originally designed to mitigate the risks of data theft or exposure.

Microsoft said two years ago that an Iranian state-sponsored threat group abused the BitLocker Windows feature in attacks, and other cybercriminals have also been caught using similar techniques. 

“It’s a cruel irony that a security measure has been weaponized in this way,” Souza said. 

Over the last two years, Bitdefender has released decryptors for the LockerGoga, MortalKombat and MegaCortex ransomware strains.