A new ransomware is hijacking Windows BitLocker to encrypt and steal files

News
By published

New ransomware strain is creating new boot volumes

Ransomware
Image credit: Shutterstock (Image credit: Shutterstock)

Cybersecurity researchers have uncovered a new ransomware strain that abuses Windows BitLocker to lock victims out of their devices.

As reported by BleepingComputer, Kaspersky dubbed the new ransomware ShrinkLocker because once it hits, it shrinks available non-boot partitions by 100 MB and creates new primary boot volumes of the same size. Then it uses BitLocker, a full disk encryption feature included with some versions of Microsoft Windows, to encrypt the files on the target endpoint. 

It has so far been seen hitting government agencies, and firms in manufacturing and pharmaceuticals.

Maximum damage

For the uninitiated, BitLocker is a legitimate Windows feature, designed to protect data by providing encryption for entire volumes.

ShrinkLocker is not the first ransomware variant that uses BitLocker to encrypt the systems. BleepingComputer stressed that a hospital in Belgium was struck with a ransomware strain that used BitLocker to encrypt 100TB of data on 40 servers, and in 2022, a meat producer and distributor in Russia called Miratorg Holding, suffered a similar fate. 

But ShrinkLocker also comes "with previously unreported features to maximize the damage of the attack," Kaspersky warned.

Among other things, the encryptor does not drop a ransom note, which is standard practice. Instead, it labels new boot partitions as email addresses, likely inviting the victims to try and communicate that way.

Furthermore, following the successful encryption, the ransomware will delete all BitLocker protectors, denying the victims any options to recover the BitLocker encryption key. The only person(s) holding the key are the attackers, which obtain it through TryCloudflare. This is also a legitimate tool, which developers use to test CloudFlare’s tunnel, without needing to add a site to CloudFlare’s DNS.

So far, the unnamed threat actors compromised systems belonging to steel and vaccine manufacturing organizations in Mexico, Indonesia, and Jordan.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Ransomware
Healthcare firms targeted by all-new ransomware strain
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Interlock ransomware attacks highlight need for greater security standards on critical infrastructure
Ransomware
Fortinet firewall bugs are being targeted by LockBit ransomware hackers
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
AWS S3 feature abused by ransomware hackers to encrypt storage buckets
A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
China government-linked hackers caught running a seriously dangerous ransomware scam
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
More reports claim 2024 was the worst year for ransomware attacks yet
Latest in Security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Latest in News
A phone showing a ChatGPT app error message
ChatGPT is down for many – here's what's going on
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
US flags
US government IT contracts set to be centralized in new Trump order
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
More about security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol

Coinbase targeted after recent Github attacks
Oracle

Oracle denies data breach after hacker claims to hold six million records
A screenshot from The First Berserker: Khazan

I got absolutely destroyed by The First Berserker: Khazan’s bosses for hours on end and loved every second of it
See more latest