Kaspersky uncovers new BitLocker-abusing ransomware

Woburn, MA – May 23, 2024 – Kaspersky has identified ransomware attacks using Microsoft’s BitLocker to attempt encryption of corporate files. According to researchers, the threat actors remove the recovery options to prevent the files from being restored and use a malicious script with a new feature that can detect specific Windows versions and enable the BitLocker accordingly. The incidents with this ransomware, dubbed “ShrinkLocker,” and its variants were observed in Mexico, Indonesia, and Jordan. The perpetrators targeted companies in steel and vaccine manufacturing, as well as a government entity.

According to Kaspersky’s Global Emergency Response team, the threat actors are using VBScript – a programming language used to automate tasks on Windows computers – to create a malicious script with previously unreported features to maximize the damage of the attack. The novelty is that the script checks the current version of Windows installed on the system and enables the BitLocker features accordingly. In this way, the script is believed to be able to infect new and legacy systems back to Windows Server 2008.

If the OS version is suitable for the attack, the script alters the boot settings and attempts to encrypt the whole drives using BitLocker. It establishes a new boot partition, essentially setting up a separate section on the computer’s drive containing the files for booting the operating system. This action is aimed at locking the victim out at a later stage. The attackers also delete the protectors used to secure BitLocker’s encryption key so that the victim can’t recover them.

The malicious script then sends information about the system and the encryption key generated on the compromised computer to the server controlled by the threat actor. Afterward, it covers its tracks by deleting logs and various files that might aid in investigating an attack.

As a final step, the malware forces a shutdown of the system – a capability facilitated by the creation and reinstallation of files in a separate boot partition. The victim sees the BitLocker screen with the message: “There are no more BitLocker recovery options on your PC”.

The message appearing on the victim’s screen after forced system shutdown

Kaspersky dubbed the script "ShrinkLocker," since this name highlights the critical procedure of partition resizing, which was essential for the attacker to ensure the system booted correctly with the encrypted files.

“What is particularly concerning about this case is that BitLocker, originally designed to mitigate the risks of data theft or exposure, has been repurposed by adversaries for malicious ends,” said Cristian Souza, incident response specialist at Kaspersky Global Emergency Response Team. “It’s a cruel irony that a security measure has been weaponized in this way. For companies using BitLocker, it’s crucial to ensure strong passwords and secure storage of recovery keys. Regular backups, kept offline and tested, are also essential safeguards.”

The incident’s detailed technical analysis is available on Securelist. Kaspersky experts recommend the following mitigation measures to prevent attackers from exploiting the feature described in the report:

·       Use robust, properly configured security software to detect threats that try to abuse BitLocker. Implement Managed Detection and Response (MDR) to proactively seek out threats.

·       Limit user privileges to prevent unauthorized enabling of encryption features or modification of registry keys.

·       Enable network traffic logging and monitoring, capturing both GET and POST requests, as infected systems may transmit passwords or keys to attacker domains.

·       Monitor for VBScript and PowerShell execution events, saving logged scripts and commands to an external repository for activity retention despite local erasure

 

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help over 220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.