ShrinkLocker is a ransomware strain that abuses BitLocker to encrypt data and create a secure boot partition, complicating recovery and demanding a ransom. It evades detection through registry edits, service checks, and log/scheduled task deletions, illustrating the evolving tactics of fileless-like ransomware using legitimate OS features. #ShrinkLocker #BitLocker
Keypoints
- ShrinkLocker uses BitLocker for encryption instead of custom cryptographic methods.
- Early actions include OS version checking and deleting a script file at C:ProgramdataMicrosoftWindowsTemplatesdisk.vbs.
- Registry edits disable RDP and enforce smart card authentication, and configure BitLocker policies.
- It checks the BitLocker Drive Encryption Tools service and starts it if needed to facilitate encryption.
- Performs disk resizing and partition formatting to disrupt system functionality and boot configuration.
- Exfiltrates system information and a generated encryption key to a C2 server (trycloudflare domain).
- Deletes logs and scheduled tasks to erase traces and hinder analysis, and a Splunk Atomic Red Team suite is used for defense testing.
MITRE Techniques
- [T1082] System Information Discovery – The malware uses a WMI query to determine the OS and checks DomainDNSName via ADSystemInfo to target the domain. “SELECT * FROM Win32_OperatingSystem” … “DomainDNSName” of the compromised host using the ADSystemInfo object.
- [T1112] Modify Registry – Modifies registry entries related to RDP, smart card authentication, and TPM settings. “HKLMSystemCurrentControlSetControlTerminal Server
fDenyTSConnections” set to 1; “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemscforceoption” set to 1; and various FVE policy keys. - [T1486] Data Encrypted for Impact – Checks if the BitLocker Drive Encryption Tools service is running and attempts to start it if not. “Data Encrypted for Impact … checks if the BitLocker Drive Encryption Tools service is running.”
- [T1485] Data Destruction – Initiates a destructive payload based on OS check, compromising data integrity; includes disk resizing and formatting of partitions.
- [T1491] Defacement – Modifies the disk label to include ransom contact information.
- [T1041] Exfiltration Over C2 Channel – Generates a random encryption key and transmits it along with system information to a C2 server (trycloudflare).
- [T1070] Indicator Removal – Deletes Windows PowerShell audit logs, firewall rules, and scheduled tasks to evade detection.
Indicators of Compromise
- [Domain] trycloudflare – C2 domain used to beacon system information and the encryption key.
- [File name] disk.vbs – script file deleted as part of reconnaissance/cleanup (path: C:ProgramdataMicrosoftWindowsTemplatesdisk.vbs).
- [Service] BDESVC – BitLocker Drive Encryption Tools service referenced for starting/checking BitLocker operations.