2024-09-05 Splunk: ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

ShrinkLocker is a newly discovered ransomware strain that exploits BitLocker, a legitimate Windows feature, to encrypt data by locking users out of their systems. Unlike traditional ransomware, ShrinkLocker leverages BitLocker's secure boot partition to make decryption extremely challenging. The malware initiates its attack by identifying the operating system and determining whether it’s a suitable target. It modifies key system registry settings, particularly those related to Remote Desktop Protocol (RDP) and Trusted Platform Module (TPM), to suit its objectives. After disabling BitLocker key protectors, ShrinkLocker shrinks non-boot partitions by 100MB, formats these partitions, and reconfigures boot files to destabilize the system, potentially rendering it irreparable. The malware also exfiltrates data to a command-and-control server and attempts to erase traces of its activity by deleting logs, firewall rules, and scheduled tasks.