Kaspersky has identified new ransomware attacks that use BitLocker, a legitimate Microsoft tool, to try to encrypt corporate files. Scammers remove recovery options, which prevents files from being restored, and use a malicious script with a new feature: adapt to different versions of Windows. The target of cybercriminals is industrial companies, vaccine manufacturers and government organizations. These attacks known as “ShrinkLocker” were detected in Mexico, Indonesia and Jordan.
BitLocker is a Microsoft security tool included in the Windows operating system. Its main function is to protect the data stored on the hard disk of the computer, preventing unauthorized persons from accessing that information. By encrypting files, the offender transforms the stored data into a secret code that makes it impossible for the victim to access them.
How does the attack occur?
Cybercriminals use VBScript, a programming language used to automate tasks on Windows computers, to create a malicious script. The novelty of these attacks is that they check the current installed version of the system and activate BitLocker functionalities accordingly. Thus, it is believed that the code can infect both new and old systems, including versions from Windows Server 2008.
If the system version is suitable for the attack, the script alters its settings to block access from the victim user. Scammers also remove the protection measures that support BitLocker, which ensures that the person cannot recover the files.
The final step of the attack leads to a forced system shutdown, leaving the following message on the screen: “No more BitLocker recovery options on your computer”.
“What is particularly troubling in this case is the fact that BitLocker, originally designed to mitigate the risks of data theft or exposure, has been reused by criminals for malicious purposes. It is a cruel irony that a security measure has become such a threat. For companies using the tool, it is crucial to ensure strong passwords and secure storage of recovery keys. Regular, offline and verified backups are also essential,” explains Cristian Souza, Incident Response specialist at Kaspersky’s Global Emergency Response Team (GERT).
Kaspersky experts recommend the following measures
- Use robust security software that is properly configured to detect threats that attempt to use BitLocker. Implement a solution that can proactively search for threats.
- Limit users’ privileges to the network and prevent unauthorized activation of encryption functions or modification of registry keys.
- Enable network traffic logging and monitoring, as infected systems can transmit passwords or keys to scam domains.
- Monitor VBScript and PowerShell execution events, storing logged scripts and commands in an external repository to retain suspicious activity.
Detailed technical analysis of these incidents is available on Securelist.
