Romanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware.

The decryptor is the result of a comprehensive analysis of ShrinkLocker’s inner workings, allowing researchers to discover “a specific window of opportunity for recovering data immediately after removing the protectors from BitLocker-encrypted drives.”

ShrinkLocker was documented first in May 2024 by Kaspersky, which found that the malware was using Microsoft’s native BitLocker utility to encrypt files as part of extortion attacks targeting Mexico, Indonesia and Jordan.

Bitdefender, which investigated a ShrinkLocker incident targeting an unnamed healthcare company in the Middle East, said the attack likely originated from a machine belonging to a contractor, highlighting once again how threat actors are increasingly what’s more abuse of trust relationships to infiltrate the supply chain.

In the next step, the threat actor moved laterally to an Active Directory domain controller using the legitimate credentials for a compromised account, followed by the creation of two scheduled tasks to activate the ransomware process.

While the first task executed a Visual Basic Script (“Check.vbs”) that copied the ransomware program to every domain-joined machine, the second task – scheduled for two days later – executed the locally deployed ransomware (“Audit .vbs”) .

The attack, Bitdefender said, successfully encrypted systems running Windows 10, Windows 11, Windows Server 2016 and Windows Server 2019. That said, the ShrinkLocker variant used is said to be a modified version of the original version.

Described as simple but effective, the ransomware is notable for being written in VBScript, a scripting language that Microsoft said is depreciated starting in the second half of 2024. Additionally, instead of implementing its own encryption algorithm, the malware uses BitLocker to achieve its goals.

The script is designed to collect system configuration and operating system information, then tries to check if BitLocker is already installed on a Windows Server machine, and if not, installs it using a PowerShell command and then performs a “forced restart” using Close Win32.

But Bitdefender said it spotted a bug that causes this request to fail with a “Privilege Unrestricted” error, causing VBScript to hang in an infinite loop due to a failed restart attempt.

“Even if the server is restarted manually (for example by an unsuspecting administrator), the script has no mechanism to resume execution after a restart, meaning that the attack can be interrupted or prevented,” Martin Zugec, director of technical solutions at Bitdefender, he said.

The ransomware is designed to generate a random password derived from system-specific information such as network traffic, system memory, and disk usage, using it to encrypt system drives.

The unique password is then uploaded to a server controlled by the attacker. After the reboot, the user is prompted to enter the password to unlock the encrypted drive. The BitLocker screen is also configured to display the threat actor’s contact email address to initiate payment in exchange for the password.

That’s not all. The script makes several changes to the Registry to restrict access to the system by disabling remote RDP connections and disabling local password-based logins. As part of its cleaning efforts, it also disables Windows Firewall rules and deletes audit files.

Bitdefender also pointed out that the name ShrinkLocker is misleading, as the eponymous functionality is limited to old Windows systems and does not actually shrink partitions on current operating systems.

“Using a combination of Group Policy Objects (GPOs) and scheduled tasks, it can encrypt multiple systems on a network in just 10 minutes per device,” Zugec noted. “As a result, a complete compromise of a domain can be achieved with very little effort.”

“Proactively monitoring specific Windows event logs can help organizations identify and respond to potential BitLocker attacks, even in their early stages, such as when attackers are testing their encryption capabilities.”

“By configuring BitLocker to store recovery information in Active Directory Domain Services (AD DS) and enforcing the ‘Do not enable BitLocker until recovery information is stored in AD DS for operating system drives’ policy, organizations can significantly reduce the risk of BitLocker. attacks.”