ShrinkLocker (ransomware virus)

2024: The emergence of the virus

Enterprises and government agencies Russia are attacking a new one, virus extortioner called ShrinkLocker. The malware uses a tool built into Windows. enciphering BitLocker About this in "" Kaspersky Lab told in May 2024.

As part of the distribution of the new ransomware, hackers developed a malicious script in the VBScript programming language. This tool checks which version of Windows is installed on the device and, in accordance with it, activates BitLocker functionality. The malware can infect both new and old versions of the OS - up to Windows Server 2008, Kaspersky Lab experts said.

source = Kaspesky Lab

According to them, the script is able to change the OS boot parameters, and then tries to encrypt the partitions of the hard drive using BitLocker. A new boot partition is created in order to be able to download the encrypted computer later. Attackers also remove security tools used to protect the BitLocker encryption key so that the user cannot recover them later.

After that, the malicious tool sends information about the system and the encryption key generated on the infected computer to the attacker's server. After that, he "covers his tracks": deletes logs and various files that can help in investigating the attack.

The last step is that the virus forcibly blocks access to the system. The victim sees a message on the screen: "There are no BitLocker recovery options on your computer."

According to Konstantin Sapronov, head of Kaspersky Lab's global computer incident response team, BitLocker, originally created to prevent unauthorized access to data, has now become a weapon in the hands of cybercriminals.^[1]

Notes