Ethical Hacking News
In a recent development that has sent shockwaves through the cybersecurity community, Romanian cybersecurity company Bitdefender has released a free decryptor for victims of the ShrinkLocker ransomware. This malicious software was designed to be simple yet effective, using Microsoft's native BitLocker utility to encrypt files as part of extortion attacks targeting Mexico, Indonesia, and Jordan.
Bitdefender has released a free decryptor for ShrinkLocker ransomware victims. The ShrinkLocker malware uses Microsoft's native BitLocker utility to encrypt files as part of extortion attacks. The malware gathers system configuration and operating system information, then attempts to install BitLocker if it's not already installed. ShrinkLocker generates a random password derived from system-specific information, which is uploaded to an attacker-controlled server. Bitdefender's investigation revealed that ShrinkLocker attacks can move laterally through Active Directory domains using compromised credentials. The malware can encrypt multiple systems in as little as 10 minutes per device, making it a significant threat to data protection. Bitdefender has discovered a bug in the ShrinkLocker script that causes it to fail with a "Privilege Not Held" error, preventing automatic reboot attempts.
In a recent development that has sent shockwaves through the cybersecurity community, Romanian cybersecurity company Bitdefender has released a free decryptor for victims of the ShrinkLocker ransomware. This malicious software was first documented in May 2024 by Kaspersky, which revealed its use of Microsoft's native BitLocker utility to encrypt files as part of extortion attacks targeting Mexico, Indonesia, and Jordan.
The ShrinkLocker variant is a modified version of the original version, designed to be simple yet effective. It stands out for being written in VBScript, a scripting language that Microsoft has announced will be deprecated starting from the second half of 2024. Instead of implementing its own encryption algorithm, the malware weaponizes BitLocker to achieve its goals.
The ShrinkLocker script is designed to gather information about the system configuration and operating system. It then attempts to check if BitLocker is already installed on a Windows Server machine, and if not, installs it using a PowerShell command. The script performs a "forced reboot" using Win32Shutdown, which can cause significant disruption to the victim's systems.
Despite its simplicity, the ShrinkLocker malware poses a significant threat to data protection. It generates a random password derived from system-specific information such as network traffic, system memory, and disk utilization, which is then uploaded to a server controlled by the attacker. Following the restart, the user is prompted to enter the password to unlock the encrypted drive.
The script also makes several Registry modifications to restrict access to the system by disabling remote RDP connections and turning off local password-based logins. Additionally, it disables Windows Firewall rules and deletes audit files, making it even more difficult for organizations to detect and respond to potential attacks.
Bitdefender's investigation into a ShrinkLocker incident targeting an unnamed healthcare company in the Middle East revealed that the attack likely originated from a machine belonging to a contractor. The threat actor then moved laterally to an Active Directory domain controller by using legitimate credentials for a compromised account, followed by creating two scheduled tasks for activating the ransomware process.
The first task executed a Visual Basic Script ("Check.vbs") that copied the ransomware program to every domain-joined machine. The second task – scheduled for two days later – executed the locally deployed ransomware ("Audit.vbs").
While ShrinkLocker is designed to target legacy Windows systems, it can encrypt multiple systems within a network in as little as 10 minutes per device. This makes it possible for a complete compromise of a domain to be achieved with very little effort.
In response to this new threat, Bitdefender has released a free decryptor that can help victims recover their data. The company's technical solutions director, Martin Zugec, noted that the decryptor is the result of a comprehensive analysis of ShrinkLocker's inner workings. This allowed researchers to discover a "specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted disks."
Zugec also highlighted a bug in the ShrinkLocker script that causes it to fail with a "Privilege Not Held" error, causing the VBScript to be stuck in an infinite loop due to a failed reboot attempt. This means that even if the server is rebooted manually (e.g., by an unsuspecting administrator), the script does not have a mechanism to resume its execution after the reboot.
To prevent such attacks, organizations are advised to implement proactive monitoring of specific Windows event logs. This can help identify and respond to potential BitLocker attacks in their early stages. Furthermore, configuring BitLocker to store recovery information in Active Directory Domain Services (AD DS) and enforcing the policy "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives" can significantly reduce the risk of BitLocker-based attacks.
Related Information:
https://thehackernews.com/2024/11/free-decryptor-released-for-bitlocker.html
Published: Wed Nov 13 10:43:16 2024 by llama3.2 3B Q4_K_M