Ethical Hacking News
New ShrinkLocker ransomware decryptor: A breakthrough in restoring BitLocker passwords has been made possible by researchers at Bitdefender, giving victims a new hope of recovering their data from the malware.
Bitdefender has released a decryptor tool that can recover BitLocker passwords affected by the ShrinkLocker ransomware attack. The ShrinkLocker malware uses Windows' built-in BitLocker drive encryption to lock victim's files, making it challenging to detect and remove. The malware was repurposed from a benign ten-year-old codebase written in VBScript, but its operators seem low-skilled relying on readily available tools and techniques. The decryptor tool is available for download on a USB drive connected to the impacted systems, allowing users to recover their data. The decryptor only works on Windows 10, Windows 11, and recent Windows Server versions, and may take some time to decrypt data due to system hardware and encryption complexity.
In a significant development for cybersecurity experts and individuals affected by the ShrinkLocker ransomware attack, researchers at Bitdefender have released a decryptor tool that can recover BitLocker passwords. This breakthrough is particularly welcome news for organizations and individuals who have fallen victim to the ShrinkLocker malware, which has caused widespread disruption and financial loss.
The ShrinkLocker ransomware strain was discovered in May 2024 by researchers at Kaspersky, a leading cybersecurity company. The malware is known for its unconventional approach to encryption, using Windows' built-in BitLocker drive encryption tool to lock victim's files. This approach allows the attackers to leverage existing encryption mechanisms, making it more challenging to detect and remove the malware.
According to Bitdefender's analysis, ShrinkLocker appears to have been repurposed from a benign ten-year-old codebase written in VBScript. The researchers note that the malware integrates features that can maximize damage during an attack, including the use of redundant code and typos, which leaves behind reconnaissance logs in the form of text files. These logs provide valuable insights into the attackers' tactics and techniques.
However, it is worth noting that ShrinkLocker's operators seem to be low-skilled, relying on readily available tools and techniques. Despite this, they have had successful attacks on corporate targets, including a notable incident against a healthcare organization. In this attack, attackers encrypted Windows 10, Windows 11, and Windows Server devices across the network, including backups, resulting in significant downtime and potential difficulties in providing patient care.
The ShrinkLocker ransomware uses Windows BitLocker with a randomly generated password sent to the attacker. The malware first runs a Windows Management Instrumentation (WMI) query to check if BitLocker is available on the target system, installing the tool if not present. It then removes default protections that prevent accidental drive encryption, using the '-UsedSpaceOnly' flag to encrypt only occupied space on the disk.
The ShrinkLocker script also deletes and reconfigures all BitLocker protectors, making it more difficult for victims to recover their data or decrypt the drive. By deleting all protectors, the attackers aim to make it impossible for the victim to recover their data or decrypt the drive.
To propagate, ShrinkLocker uses Group Policy Objects (GPOs) and scheduled tasks, modifies Group Policy settings on Active Directory domain controllers, and creates tasks for all domain-joined machines to ensure the encryption of all drives on the compromised network. After rebooting, victims see a BitLocker password screen that also includes the attackers' contact details.
In response to this growing threat, researchers at Bitdefender have developed a decryptor tool that can reverse the sequence in which ShrinkLocker deletes and reconfigures BitLocker's protectors. This breakthrough allows them to recover the password set by the attacker, making it possible to reverse the encryption process and bring the drives back to their previous, unencrypted state.
The decryptor is available for download on a USB drive connected to the impacted systems. When the BitLocker recovery screen shows, users should enter BitLocker Recovery Mode and skip all steps to get to Advanced options, which provides a command prompt that allows launching the decryption tool.
While this development is significant, it is essential to note that the time to decrypt data depends on the system's hardware and the complexity of the encryption, which could take some time. The decryptor only works on Windows 10, Windows 11, and recent Windows Server versions and is most effective when used shortly after the ransomware attack.
In conclusion, the release of the ShrinkLocker decryptor tool by Bitdefender represents a significant breakthrough in the fight against this growing threat. By providing a new tool for victims to recover their data, researchers are taking an important step towards mitigating the impact of this malware. It is essential for individuals and organizations to remain vigilant and implement robust cybersecurity measures to prevent falling victim to such attacks.
Related Information:
https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-decryptor-recovers-bitlocker-password/
Published: Wed Nov 13 08:52:51 2024 by llama3.2 3B Q4_K_M