- ShrinkLocker ransomware shrinks non-boot partitions and uses BitLocker to encrypt files.
- Targets include government agencies, manufacturers, and pharmaceutical firms.
- Unique features include no ransom note and new boot volumes labeled with email addresses.
Cybersecurity experts have discovered a new type of ransomware called ShrinkLocker, which takes advantage of Windows BitLocker to lock users out of their devices and encrypt their files.
BitLocker is a legitimate Windows feature designed to provide full disk encryption and protect data, but ShrinkLocker turns it against the user.
How ShrinkLocker Works?
According to a report by BleepingComputer and cybersecurity firm Kaspersky, ShrinkLocker starts its attack by shrinking non-boot partitions by 100 MB.
It then creates new primary boot volumes of the same size. Using BitLocker, it encrypts these new volumes, effectively locking the user out of their data.
This ransomware has primarily targeted government agencies, manufacturing firms, and pharmaceutical companies.
Past Incidents Involving BitLocker
ShrinkLocker is not the first ransomware to misuse BitLocker. There have been previous incidents where ransomware has used BitLocker to encrypt data.
For instance, a hospital in Belgium was hit by ransomware that encrypted 100TB of data across 40 servers.
Similarly, in 2022, Miratorg Holding, a large meat producer and distributor in Russia, faced a ransomware attack that used BitLocker.
Features of ShrinkLocker
What sets ShrinkLocker apart are its unique and previously unreported features aimed at maximizing damage.
Unlike typical ransomware, ShrinkLocker does not leave a ransom note. Instead, it labels the new boot partitions with email addresses, presumably inviting the victims to contact the attackers for further instructions.
This approach can confuse victims and delay their response, potentially causing more harm.
Impact and Response
ShrinkLocker’s ability to shrink partitions and create new boot volumes makes it particularly dangerous, as it complicates the recovery process.
Organizations hit by this ransomware may face significant downtime and data loss, leading to severe operational and financial impacts.
Given its targets—government agencies, manufacturers, and pharmaceutical companies—the potential consequences are even more serious.
These sectors often handle sensitive and critical data, and any disruption can have far-reaching effects.
Preventive Measures
To protect against ShrinkLocker and similar ransomware, organizations should ensure their data is regularly backed up and that these backups are stored securely offline.
It’s also crucial to keep software up to date, use robust security solutions, and educate employees about the dangers of phishing attacks, which are a common entry point for ransomware.
Bottom Line
ShrinkLocker represents a new level of threat in the ransomware landscape, using legitimate tools like BitLocker in malicious ways.
As ransomware attacks continue to evolve, staying vigilant and proactive in cybersecurity practices is more important than ever.
By understanding the tactics used by ransomware like ShrinkLocker, organizations can better prepare and defend against these sophisticated attacks.