Attackers exploited BitLocker feature in Windows OS for unauthorized file encryption and ransom demands.
Targeted industries include steel manufacturing, vaccine manufacturing, and a government entity.
Two separate reports from security firms Kaspersky and The Register detail the attacks.
In recent cybersecurity incidents, attackers have exploited the BitLocker feature built into Windows operating systems for unauthorized file encryption and ransom demands. Two separate reports from security firms Kaspersky and The Register detail such attacks, which targeted various industries including steel manufacturing, vaccine manufacturing, and a government entity.
ShrinkLocker is a newly discovered ransomware that uses the BitLocker feature built into the Windows operating system for encryption.
Researchers from Kaspersky discovered ShrinkLocker abusing BitLocker to encrypt data on systems located in Mexico, Indonesia, and Jordan.
Once installed on a device, ShrinkLocker runs a VisualBasic script that checks the operating system and performs disk resizing operations on local, fixed drives.
Decrypting drives without the attacker-supplied key is difficult and likely impossible in many cases due to variable values used in the script that are different on each infected device.
Accuracy
, ShrinkLocker then disables protections designed to secure the BitLocker encryption key and enables the use of a numerical password for encrypting system data.
, The operators of ShrinkLocker targeted steel, vaccine manufacturing companies, and a government entity.
, ShrinkLocker uses VBScript to determine the operating system version on a victim’s machine before encrypting its storage.
, It modifies registry entries to disable remote desktop connections or enable BitLocker encryption on hosts without a Trusted Platform Module (TPM).
Deception
(100%)
None Found At Time Of
Publication
Fallacies
(95%)
There are no explicit fallacies in the article. However, there is an appeal to authority and a few instances of inflammatory rhetoric.
. . . researchers from security firm Kaspersky found a threat actor using BitLocker to encrypt data on systems located in Mexico, Indonesia, and Jordan.
In 2022, Microsoft reported that ransomware attackers with a nexus to Iran also used the tool to encrypt files.
Miratorg was attacked by ransomware that used BitLocker to encrypt files residing in the system storage of infected devices.
Attackers have found creative ways to bypass defensive features and accomplish their goals using the operating system's own features.
BitLocker, a native feature of Windows operating systems used for data encryption, has been repurposed by attackers for unauthorized file encryption and ransom demands.
[In a recent incident response engagement], the attackers were able to deploy and run an advanced VBS script that took advantage of BitLocker for unauthorized file encryption.
This is not the first time attackers have used BitLocker for encrypting drives and demanding a ransom.
Accuracy
]In a recent incident response engagement[,] the attackers were able to deploy and run an advanced VBS script that took advantage of BitLocker for unauthorized file encryption.[
This is not the first time[] attackers have used BitLocker for encrypting drives and demanding a ransom.
ShrinkLocker uses VBScript to determine the operating system version on a victim’s machine before encrypting its storage.
ShrinkLocker is a new ransomware strain that encrypts corporate systems using Windows BitLocker.
It has been used to target a government entity and companies in the vaccine and manufacturing sectors.
The malware uses diskpart utility in Windows to shrink every non-boot partition by 100MB and splits the unallocated space into new primary volumes of the same size.
It modifies registry entries to disable remote desktop connections or enable BitLocker encryption on hosts without a Trusted Platform Module (TPM).
The threat actor behind ShrinkLocker provides a contact email address instead of dropping a ransom file.
After encrypting the drives, the threat actor deletes the BitLocker protectors to deny the victim any option to recover BitLocker’s encryption key.
ShrinkLocker leaves no recovery options and forces the system to shut down for all changes to take effect.
Accuracy
ShrinkLocker uses diskpart utility in Windows to shrink every non-boot partition by 100MB and splits the unallocated space into new primary volumes of the same size.
Deception
(50%)
The article provides information about a new ransomware strain called ShrinkLocker that uses Windows BitLocker to encrypt corporate systems. The author provides details on the features of the malware and how it operates. However, there is no direct evidence in the article that suggests the author is attempting to deceive readers. The information provided appears to be factual and sourced from Kaspersky's technical analysis of ShrinkLocker.
The threat actor behind ShrinkLocker does not drop a ransom file to establish a communication channel with the victim.
Fallacies
(95%)
The author provides detailed information about the new ShrinkLocker ransomware and how it uses BitLocker to encrypt files. There are no explicit fallacies found in the article. However, there is an appeal to authority when Kaspersky's findings and analysis are mentioned. This does not affect the score significantly as it is a valid use of authority in this context.
Kaspersky says that ShrinkLocker comes ‘with previously unreported features to maximize the damage of the attack.’
In September 2022, Microsoft warned that an Iranian state-sponsored attacker utilized BitLocker to encrypt systems running Windows 10, Windows 11, or Windows Server 2016 and newer.
ShrinkLocker ransomware attack weaponizes BitLocker against users.
ShrinkLocker was found to be used against governments and manufacturing industries.
Accuracy
Researchers from Kaspersky discovered ShrinkLocker abusing BitLocker to encrypt data on systems located in Mexico, Indonesia, and Jordan.
The operators of ShrinkLocker targeted steel, vaccine manufacturing companies, and a government entity.
Deception
(80%)
The article by Dallin Grimm contains several instances of sensationalism and selective reporting. The title itself is sensational, implying that the ShrinkLocker ransomware is a new and unprecedented threat when in fact BitLocker attacks are not uncommon. The author also selectively reports on the impact of the ShrinkLocker attack, focusing on its use against governments and manufacturing industries without mentioning that it has only been identified in three countries so far. Additionally, the author makes editorializing statements such as 'the attack is focused more on disruption and data destruction than ransom' which goes beyond reporting facts.
For the full details of the attack and the ShrinkLocker script, Kaspersky has a full technical analysis.
The attack uses novel methods to make a classic BitLocker attack more pervasive and dangerous than ever before, and it has already been used against governments and manufacturing industries.
Fallacies
(85%)
The article contains a few informal fallacies and an example of inflammatory rhetoric. It also uses the term 'encryption-craving' as a loaded phrase, but does not directly quote any specific individual or entity.
. . . the new strain in Mexico, Indonesia, and Jordan, so far only against enterprise PCs.
ShrinkLocker then shrinks all drive partitions by 100MB and uses the stolen space to create a new boot partition, hence ढShrinkण Locker.
The attack leaves its targets floundering, with bricks for hard drives. The creator of the ShrinkLocker attack must have had an "extensive understanding" of a variety of obscure Windows internals and utilities to craft the attack, which left almost no trace.
For a ransomware attack, the attacker also did not make it easy to find where to send the ransom in question.