News ShrinkLocker' ransomware uses BitLocker against you — encryption-craving malware has already been used against governments

Admin · May 24, 2024

The ShrinkLocker ransomware attack uses BitLocker to encrypt corporate systems and destroy all recovery methods. The new attack is more directed at destruction than extortion.

ShrinkLocker' ransomware uses BitLocker against you — encryption-craving malware has already been used against governments : Read more

JamesJones44 · May 24, 2024

Why isn't BitLocker a root level operation? I'll never understand why Microsoft can't get basic user level vs root level execution right. Setting up BitLocker should be a root level operation, requiring a root password to execute (or I guess in Window's case a popup).

Alvar "Miles" Udell · May 24, 2024

If only Microsoft would poach the age old Linux security measure of requiring the administrator password before changes are made (annoying, but quite secure)...Though any enterprise level system should be setup to be run with a very limited user account anyway which would prevent this as well...

randomizer · May 24, 2024

If the OS is too old, ShrinkLocker deletes itself without a trace.

At least the attacker is tidy.

USAFRet · May 24, 2024

Alvar Miles Udell said:
If only Microsoft would poach the age old Linux security measure of requiring the administrator password before changes are made (annoying, but quite secure)...Though any enterprise level system should be setup to be run with a very limited user account anyway which would prevent this as well...

"requiring the administrator password before changes are made"

What changes?

Sleepy_Hollowed · May 25, 2024

I feel like this might become a huge thing since they required everyone to have TPM and Bitlocker for Windows 11 and beyond.

rluker5 · May 25, 2024

At least a vital component of this attack - VBScript is getting depreciated at the same time BitLocker is becoming default enabled.

CmdrShepard · May 25, 2024

A malicious script then runs through BitLocker setup specific to the operating system, and enables BitLocker accordingly on any PC running Vista or Windows Server 2008 or newer.

If I am not mistaken you can't change BitLocker settings if you don't have admin rights.

Metal Messiah. · May 25, 2024

I think to bypass the Bitlocker it appears that "ShrinkLocker" has modified several registry entries related to BitLocker and system security. These changes allowed it to turn on BitLocker, even if the device lacks a Trusted Platform Module chip.

If I'm NOT mistaken, and after going through the original findings by the researchers, these attackers were able to deploy and run an advanced VBS script that took advantage of BitLocker for unauthorized file encryption.

The script added the following registry entries. If the script detects an error, it then restarts the system.

fDenyTSConnections = 1: disables RDP connections;
scforceoption = 1: enforces smart card authentication;
UseAdvancedStartup = 1: requires the use of the BitLocker PIN for pre-boot authentication;
EnableBDEWithNoTPM = 1: allows BitLocker without a compatible TPM chip;
UseTPM = 2: allows the use of TPM if available;
UseTPMPIN = 2: allows the use of a startup PIN with TPM if available;
UseTPMKey = 2: allows the use of a startup key with TPM if available;
UseTPMKeyPIN = 2: allows the use of a startup key and PIN with TPM if available;
EnableNonTPM = 1: allows BitLocker without a compatible TPM chip, requires a password or startup key on a USB flash drive;
UsePartialEncryptionKey = 2: requires the use of a startup key with TPM;
UsePIN = 2: requires the use of a startup PIN with TPM.

The malware also seems to disable the protectors used to secure BitLocker's encryption key and deletes them.

Having completed the deletion, it enables the use of a numerical password as a protector and the encryption feature.

It appears the hack successfully recovers the BitLocker keys, generates a random password, and then this information is sent back to the attacker(s).

As shown here, the code has actually converted the previously generated encryption key to a secure string—a PowerShell option that prevents creating a string object in memory, and the effectively enables BitLocker on the drives.

.

hannibal · May 25, 2024

... Should I turn of the internet connection...
This is big!

Alvar "Miles" Udell · May 25, 2024

USAFRet said:
"requiring the administrator password before changes are made"

What changes?

Any changes. Installing software, changing system settings, even installing system updates requires the administrator password.

USAFRet · May 25, 2024

Alvar Miles Udell said:
Any changes. Installing software, changing system settings, even installing system updates requires the administrator password.

It already does this.
That is why I use a Standard local account as my daily driver.

Any 'install' or system change requires input of the admin password.

Alvar "Miles" Udell · May 25, 2024

USAFRet said:
It already does this.
That is why I use a Standard local account as my daily driver.

Any 'install' or system change requires input of the admin password.

Which has been recommended ever since the Windows XP days made multiple accounts much better, but if I had to guess only 1% of non-enterprise users do that, and going by this article a good number of enterprise users aren't configured to run that way. That's why it needs to be the default action, especially since Windows has biometrics and PINs nowdays to make it less annoying, on every account, including admins.

USAFRet · May 25, 2024

Alvar Miles Udell said:
Which has been recommended ever since the Windows XP days made multiple accounts much better, but if I had to guess only 1% of non-enterprise users do that, and going by this article a good number of enterprise users aren't configured to run that way. That's why it needs to be the default action, especially since Windows has biometrics and PINs nowdays to make it less annoying, on every account, including admins.

One of the main problems is that people who might be susceptible to malware like this would enter their password anyway.

"I know this PhotoshopFullCrack file is safe. My friend gave it to me."

Metal Messiah. · May 25, 2024

For a ransomware attack, the attacker also did not make it easy to find where to send the ransom in question. This makes it likely that the attack is focused more on disruption and data destruction than ransom.

I found quite a few contradictory info regarding this issue. Some claim the attack was indirectly meant for monetary purpose.

Eduardo Ovalle, digital forensic and incident response group manager at Kaspersky GERT, pointed out the version of the script and the TTPs suggest that this ransomware does not operate as a Ransomware as a Service (RaaS).

The main motivator of the attacks was purely monetary.

“After the infection, the attacker left his e-mail address as a disk label for contact about the ransom,” Ovalle said.

TechyIT223 · May 26, 2024

So this was after all for a ransom it seems but nonetheless the attack is highly powerful

TechyIT223 · May 26, 2024

Metal Messiah. said:
I think to bypass the Bitlocker it appears that "ShrinkLocker" has modified several registry entries related to BitLocker and system security. These changes allowed it to turn on BitLocker, even if the device lacks a Trusted Platform Module chip.

If I'm NOT mistaken, and after going through the original findings by the researchers, these attackers were able to deploy and run an advanced VBS script that took advantage of BitLocker for unauthorized file encryption.

The script added the following registry entries. If the script detects an error, it then restarts the system.

fDenyTSConnections = 1: disables RDP connections;

scforceoption = 1: enforces smart card authentication;

UseAdvancedStartup = 1: requires the use of the BitLocker PIN for pre-boot authentication;

EnableBDEWithNoTPM = 1: allows BitLocker without a compatible TPM chip;

UseTPM = 2: allows the use of TPM if available;

UseTPMPIN = 2: allows the use of a startup PIN with TPM if available;

UseTPMKey = 2: allows the use of a startup key with TPM if available;

UseTPMKeyPIN = 2: allows the use of a startup key and PIN with TPM if available;

EnableNonTPM = 1: allows BitLocker without a compatible TPM chip, requires a password or startup key on a USB flash drive;

UsePartialEncryptionKey = 2: requires the use of a startup key with TPM;

UsePIN = 2: requires the use of a startup PIN with TPM.

The malware also seems to disable the protectors used to secure BitLocker's encryption key and deletes them.

Having completed the deletion, it enables the use of a numerical password as a protector and the encryption feature.

It appears the hack successfully recovers the BitLocker keys, generates a random password, and then this information is sent back to the attacker(s).

As shown here, the code has actually converted the previously generated encryption key to a secure string—a PowerShell option that prevents creating a string object in memory, and the effectively enables BitLocker on the drives.

.

Good example for clarification.

That makes sense as to why bitlocker was easily bypassed. Hit the nail on the head.

Metal Messiah. · May 27, 2024

Well, most of the researchers and few reports have also highlighted the 'ransom' part clearly, so it can't be overlooked.

thisoldtech · May 28, 2024

randomizer said:
At least the attacker is tidy.

Security through obsolescence!

News ShrinkLocker' ransomware uses BitLocker against you — encryption-craving malware has already been used against governments

Administrator

Reputable

Admirable

Champion

Titan

Distinguished

Distinguished

Prominent

Judicious

Distinguished

Admirable

Titan

Admirable

Titan

Judicious

Proper

Proper

Judicious

Share this page