News ShrinkLocker' ransomware uses BitLocker against you — encryption-craving malware has already been used against governments

[Admin]

The ShrinkLocker ransomware attack uses BitLocker to encrypt corporate systems and destroy all recovery methods. The new attack is more directed at destruction than extortion.

ShrinkLocker' ransomware uses BitLocker against you — encryption-craving malware has already been used against governments : Read more

 

[JamesJones44]

Why isn't BitLocker a root level operation? I'll never understand why Microsoft can't get basic user level vs root level execution right. Setting up BitLocker should be a root level operation, requiring a root password to execute (or I guess in Window's case a popup).

 

[Alvar "Miles" Udell]

If only Microsoft would poach the age old Linux security measure of requiring the administrator password before changes are made (annoying, but quite secure)...Though any enterprise level system should be setup to be run with a very limited user account anyway which would prevent this as well...

 

[randomizer]

If the OS is too old, ShrinkLocker deletes itself without a trace.

At least the attacker is tidy.

 

[USAFRet]

If only Microsoft would poach the age old Linux security measure of requiring the administrator password before changes are made (annoying, but quite secure)...Though any enterprise level system should be setup to be run with a very limited user account anyway which would prevent this as well...

"requiring the administrator password before changes are made"

What changes?

 

[Sleepy_Hollowed]

I feel like this might become a huge thing since they required everyone to have TPM and Bitlocker for Windows 11 and beyond.

 

[rluker5]

At least a vital component of this attack - VBScript is getting depreciated at the same time BitLocker is becoming default enabled.

 

[CmdrShepard]

A malicious script then runs through BitLocker setup specific to the operating system, and enables BitLocker accordingly on any PC running Vista or Windows Server 2008 or newer.

If I am not mistaken you can't change BitLocker settings if you don't have admin rights.

 

[Deleted member 2731765]

I think to bypass the Bitlocker it appears that "ShrinkLocker" has modified several registry entries related to BitLocker and system security. These changes allowed it to turn on BitLocker, even if the device lacks a Trusted Platform Module chip.

If I'm NOT mistaken, and after going through the original findings by the researchers, these attackers were able to deploy and run an advanced VBS script that took advantage of BitLocker for unauthorized file encryption.

The script added the following registry entries. If the script detects an error, it then restarts the system.

• fDenyTSConnections = 1: disables RDP connections;
• scforceoption = 1: enforces smart card authentication;
• UseAdvancedStartup = 1: requires the use of the BitLocker PIN for pre-boot authentication;
• EnableBDEWithNoTPM = 1: allows BitLocker without a compatible TPM chip;
• UseTPM = 2: allows the use of TPM if available;
• UseTPMPIN = 2: allows the use of a startup PIN with TPM if available;
• UseTPMKey = 2: allows the use of a startup key with TPM if available;
• UseTPMKeyPIN = 2: allows the use of a startup key and PIN with TPM if available;
• EnableNonTPM = 1: allows BitLocker without a compatible TPM chip, requires a password or startup key on a USB flash drive;
• UsePartialEncryptionKey = 2: requires the use of a startup key with TPM;
• UsePIN = 2: requires the use of a startup PIN with TPM.

The malware also seems to disable the protectors used to secure BitLocker's encryption key and deletes them.

Having completed the deletion, it enables the use of a numerical password as a protector and the encryption feature.

It appears the hack successfully recovers the BitLocker keys, generates a random password, and then this information is sent back to the attacker(s).

As shown here, the code has actually converted the previously generated encryption key to a secure string—a PowerShell option that prevents creating a string object in memory, and the effectively enables BitLocker on the drives.

.

 

[hannibal]

... Should I turn of the internet connection...
This is big!

 

[Alvar "Miles" Udell]

"requiring the administrator password before changes are made"

What changes?

Any changes. Installing software, changing system settings, even installing system updates requires the administrator password.

 

[USAFRet]

Any changes. Installing software, changing system settings, even installing system updates requires the administrator password.

It already does this.
That is why I use a Standard local account as my daily driver.

Any 'install' or system change requires input of the admin password.

 

[Alvar "Miles" Udell]

It already does this.
That is why I use a Standard local account as my daily driver.

Any 'install' or system change requires input of the admin password.

Which has been recommended ever since the Windows XP days made multiple accounts much better, but if I had to guess only 1% of non-enterprise users do that, and going by this article a good number of enterprise users aren't configured to run that way. That's why it needs to be the default action, especially since Windows has biometrics and PINs nowdays to make it less annoying, on every account, including admins.

 

[USAFRet]

Which has been recommended ever since the Windows XP days made multiple accounts much better, but if I had to guess only 1% of non-enterprise users do that, and going by this article a good number of enterprise users aren't configured to run that way. That's why it needs to be the default action, especially since Windows has biometrics and PINs nowdays to make it less annoying, on every account, including admins.

One of the main problems is that people who might be susceptible to malware like this would enter their password anyway.

"I know this PhotoshopFullCrack file is safe. My friend gave it to me."

 

[Deleted member 2731765]

For a ransomware attack, the attacker also did not make it easy to find where to send the ransom in question. This makes it likely that the attack is focused more on disruption and data destruction than ransom.

I found quite a few contradictory info regarding this issue. Some claim the attack was indirectly meant for monetary purpose.

Eduardo Ovalle, digital forensic and incident response group manager at Kaspersky GERT, pointed out the version of the script and the TTPs suggest that this ransomware does not operate as a Ransomware as a Service (RaaS).

The main motivator of the attacks was purely monetary.

“After the infection, the attacker left his e-mail address as a disk label for contact about the ransom,” Ovalle said.

 

[TechyIT223]

So this was after all for a ransom it seems but nonetheless the attack is highly powerful

 

[TechyIT223]

I think to bypass the Bitlocker it appears that "ShrinkLocker" has modified several registry entries related to BitLocker and system security. These changes allowed it to turn on BitLocker, even if the device lacks a Trusted Platform Module chip.

If I'm NOT mistaken, and after going through the original findings by the researchers, these attackers were able to deploy and run an advanced VBS script that took advantage of BitLocker for unauthorized file encryption.

The script added the following registry entries. If the script detects an error, it then restarts the system.

• fDenyTSConnections = 1: disables RDP connections;
• scforceoption = 1: enforces smart card authentication;
• UseAdvancedStartup = 1: requires the use of the BitLocker PIN for pre-boot authentication;
• EnableBDEWithNoTPM = 1: allows BitLocker without a compatible TPM chip;
• UseTPM = 2: allows the use of TPM if available;
• UseTPMPIN = 2: allows the use of a startup PIN with TPM if available;
• UseTPMKey = 2: allows the use of a startup key with TPM if available;
• UseTPMKeyPIN = 2: allows the use of a startup key and PIN with TPM if available;
• EnableNonTPM = 1: allows BitLocker without a compatible TPM chip, requires a password or startup key on a USB flash drive;
• UsePartialEncryptionKey = 2: requires the use of a startup key with TPM;
• UsePIN = 2: requires the use of a startup PIN with TPM.

The malware also seems to disable the protectors used to secure BitLocker's encryption key and deletes them.

Having completed the deletion, it enables the use of a numerical password as a protector and the encryption feature.

It appears the hack successfully recovers the BitLocker keys, generates a random password, and then this information is sent back to the attacker(s).

As shown here, the code has actually converted the previously generated encryption key to a secure string—a PowerShell option that prevents creating a string object in memory, and the effectively enables BitLocker on the drives.

.

Good example for clarification.

That makes sense as to why bitlocker was easily bypassed. Hit the nail on the head.

 

[Deleted member 2731765]

Well, most of the researchers and few reports have also highlighted the 'ransom' part clearly, so it can't be overlooked.

 

[thisoldtech]

At least the attacker is tidy.

Security through obsolescence!