Security News > 2024 > May > New ShrinkLocker ransomware uses BitLocker to encrypt your files

New ShrinkLocker ransomware uses BitLocker to encrypt your files
2024-05-24 14:59

A new ransomware strain called ShrinkLocker creates a new boot partition to encrypt corporate systems using Windows BitLocker.

Ransomware using BitLocker to encrypt computers is not new.

In September 2022, Microsoft warned that an Iranian state-sponsored attacker utilized BitLocker to encrypt systems running Windows 10, Windows 11, or Windows Server 2016 and newer.

If the target matches the requirements for the attack, the malware uses the diskpart utility in Windows to shrink every non-boot partition by 100MB and splits the unallocated space into new primary volumes of the same size.

Kaspersky researchers say that in Windows 2008 and 2012, ShrinkLocker ransomware first saved the boot files along with the index of the other volumes.

The key is delivered through the TryCloudflare tool, a legitimate service for developers to experiment with CloudFlare's Tunnel without adding a site to CloudFlare's DNS. In the final stage of the attack, ShrinkLocker forces the system to shut down for all the changes to take effect and leave the user with the drives locked and no BitLocker recovery options.


News URL

https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/