New ransomware using BitLocker to encrypt data

SMART Estate Security 2024 Information Security, Residential Estate (Industry)

Kaspersky has identified ransomware attacks using Microsoft’s BitLocker to attempt encryption of corporate files. The threat actors remove the recovery options to prevent the files from being restored and use a malicious script with a new feature: it can detect specific Windows versions and enable the BitLocker according to the Windows version.

The incidents with this ransomware, dubbed ‘ShrinkLocker’, and its variants were observed in Mexico, Indonesia, and Jordan. The perpetrators targeted steel and vaccine manufacturing companies and a government entity.

The threat actors are using VBScript – a programming language used to automate tasks on Windows computers – to create a malicious script with previously unreported features to maximise the attack’s damage, the Kaspersky Global Emergency Response team reports. The script’s novelty is that it checks the current version of Windows installed on the system and enables the BitLocker features accordingly. In this way, the script is believed to be able to infect new and legacy systems back to Windows Server 2008.

If the OS version is suitable for the attack, the script alters the boot settings and attempts to encrypt the whole drive using BitLocker. It establishes a new boot partition, essentially setting up a separate section on the computer’s drive containing the files for booting the operating system. This action is aimed at locking the victim out at a later stage. The attackers also deleted the protectors used to secure BitLocker’s encryption key so that the victim could not recover them.

The malicious script then sends information about the system and the encryption key generated on the compromised computer to the threat actor’s server. Afterward, it covers its tracks by deleting logs and various files that serve as hints and help to investigate an attack.

As a final step, malware forces the shutdown of the system - a capability facilitated by the creation and reinstallation of files in a separate boot partition. The victim sees the BitLocker screen with the message: “There are no more BitLocker recovery options on your PC”.

Kaspersky dubbed the script ‘ShrinkLocker’ as this name highlights the critical procedure of partition resizing, which was essential for the attacker to ensure the system booted correctly with the encrypted files.

“What is particularly concerning about this case is that BitLocker, originally designed to mitigate the risks of data theft or exposure, has been repurposed by adversaries for malicious ends. It is a cruel irony that a security measure has been weaponised in this way. For companies using BitLocker, it is crucial to ensure strong passwords and secure storage of recovery keys. Regular backups, kept offline and tested, are also essential safeguards,” explains Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team.

While Kaspersky’s team could obtain some of the passphrases and fixed values implemented by the threat actor to create the encryption keys, the script includes some variable values, which are different for each affected system, making the decryption process difficult.

The incident’s detailed technical analysis is available at https://securelist.com/ransomware-abuses-bitlocker/112643/.

Recommendations for users

Kaspersky experts recommend the following mitigation measures to prevent attackers from exploiting the feature described in the report:

• Use robust, properly configured security software to detect threats that try to abuse BitLocker. Implement Managed Detection and Response (MDR) to proactively seek out threats.

• Limit user privileges to prevent unauthorised enabling of encryption features or modification of registry keys.

• Enable network traffic logging and monitoring, capturing both GET and POST requests, as infected systems may transmit passwords or keys to attacker domains.

• Monitor for VBScript and PowerShell execution events, saving logged scripts and commands to an external repository for activity retention despite local erasure.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Cybersecurity needs actual intelligence before artificial intelligence
Information Security AI & Data Analytics
Cybersecurity depends on interpretation. A tool can tell you that something unusual has happened, but people need to determine whether it is a genuine risk, the business impact, and how to respond without causing unnecessary disruption.

Read more...
Duxbury Cybersecurity sharpens reseller offering
Duxbury Networking Information Security News & Events
Duxbury Networking has strengthened its Duxbury Cybersecurity business unit by adding WatchGuard and Cynet, giving South African resellers broader, more integrated coverage for the security risks customers are now asking them to address.

Read more...
Echoes of 2018? Follow-up on Woolworths explosions
Technews Publishing News & Events Security Services & Risk Management Retail (Industry) Facilities & Building Management
SMART Security Solutions follows up with Jimmy Roodt to find out more about an old connection to the Woolworths bombings from 2018. The investigation remains ongoing.

Read more...
NEC XON detects and stops ransomware attack
NEC XON Information Security IoT & Automation
Ransomware attacks rarely begin with chaos. More often, they start quietly, with probing, mapping, and patient reconnaissance inside a target’s network. That was the situation facing a global recruitment firm when cybercriminals attempted to navigate its systems.

Read more...
Sara AI Pentesting available in South Africa
Information Security News & Events
Synack and Wolfpack Information Risk are offering Sara AI Pentesting to organisations across South Africa, helping companies move from point-in-time testing to continuous security validation with AI and human expertise.

Read more...
Free POPIA Action List for gated access
ATG Digital News & Events Residential Estate (Industry) Training & Education Commercial (Industry)
ATG Digital, in partnership with CIVITAS, released the POPIA Responsible Party Action List. It is a free, practical guide for HOAs, body corporates, managing agents, landlords, employers and institutions. It helps them move from assuming compliance with the Protection of Personal Information Act (POPIA) to proving it.

Read more...
Sophos establishes South African legal entity to strengthen local operations
News & Events Information Security
Global cybersecurity company, Sophos, has announced the formation of its local legal entity, which will support local invoicing, partner enablement, compliance requirements and expanded regional investment.

Read more...
Cybersecurity in a digitally connected security industry
SA Technologies Information Security IoT & Automation
As more organisations move towards digital visitor management, cloud-based access control, mobile applications, biometric verification, and connected security platforms, cybersecurity must be viewed as part of the full security environment.

Read more...
Enterprises must prepare for digital conflict
Information Security
Cyberattacks can be launched remotely and at scale. A coordinated attack launched from anywhere in the world can disrupt supply chains, shut down utilities, or expose millions of customer records within minutes.

Read more...
71% of organisations suffered an identity breach
News & Events Information Security
The State of Identity Security 2026 report from Sophos finds human error and poor non-human identity management are the root causes of most attacks, as agentic AI accelerates the risk.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.