2024-09-05 Splunk: ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

ShrinkLocker is a newly discovered ransomware strain that exploits BitLocker, a legitimate Windows feature, to encrypt data by locking users out of their systems. Unlike traditional ransomware, ShrinkLocker leverages BitLocker’s secure boot partition to make decryption extremely challenging. The malware initiates its attack by identifying the operating system and determining whether it’s a suitable target. It modifies key system registry settings, particularly those related to Remote Desktop Protocol (RDP) and Trusted Platform Module (TPM), to suit its objectives. After disabling BitLocker key protectors, ShrinkLocker shrinks non-boot partitions by 100MB, formats these partitions, and reconfigures boot files to destabilize the system, potentially rendering it irreparable. The malware also exfiltrates data to a command-and-control server and attempts to erase traces of its activity by deleting logs, firewall rules, and scheduled tasks.
Download

Download. (Email me if you need the password scheme)

File Information
 d4f2c5b21e96cfef0fc4e5acb6bde30113d1c8c7522f35d99102de886ed337b3 disk.vbs_
32f31b35179bbff9ca9dd21b43bfc3e585baafedde523bd3e4869400ab0362cb Dim oShell.txt  (vba)
7662aeae889c350bdabdcc89ccc4c117e0fffdc06933dd7058946fa74a0842bb run.vbs 

Article Link: contagio: 2024-09-05 SHRINKLOCKER (Bitlocker) Ransomware Samples

1 post – 1 participant

Read full topic

​2024-09-05 Splunk: ShrinkLocker Malware: Abusing BitLocker to Lock Your DataShrinkLocker is a newly discovered ransomware strain that exploits BitLocker, a legitimate Windows feature, to encrypt data by locking users out of their systems. Unlike traditional ransomware, ShrinkLocker leverages BitLocker’s secure boot partition to make decryption extremely challenging. The malware initiates its attack by identifying the operating system and determining whether it’s a suitable target. It modifies key system registry settings, particularly those related to Remote Desktop Protocol (RDP) and Trusted Platform Module (TPM), to suit its objectives. After disabling BitLocker key protectors, ShrinkLocker shrinks non-boot partitions by 100MB, formats these partitions, and reconfigures boot files to destabilize the system, potentially rendering it irreparable. The malware also exfiltrates data to a command-and-control server and attempts to erase traces of its activity by deleting logs, firewall rules, and scheduled tasks.DownloadDownload. (Email me if you need the password scheme)File Information d4f2c5b21e96cfef0fc4e5acb6bde30113d1c8c7522f35d99102de886ed337b3 disk.vbs_32f31b35179bbff9ca9dd21b43bfc3e585baafedde523bd3e4869400ab0362cb Dim oShell.txt  (vba)7662aeae889c350bdabdcc89ccc4c117e0fffdc06933dd7058946fa74a0842bb run.vbs 
Article Link: contagio: 2024-09-05 SHRINKLOCKER (Bitlocker) Ransomware Samples
1 post – 1 participant
Read full topic