ShrinkLocker

Try in Splunk Security Cloud

Description

ShrinkLocker is a new ransomware that uses Windows BitLocker to encrypt files by creating new boot partitions. It targets non-boot partitions, shrinks them, and creates new boot volumes. ShrinkLocker has attacked a government entity and companies in the vaccine and manufacturing sectors. The ransomware doesn’t drop a ransom note but uses the boot partition label to provide contact emails for the attackers. Kaspersky researchers emphasize secure recovery key storage and offline backups to mitigate such threats.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2024-06-17
• Author: Teoderick Contreras, Splunk
• ID: 11fb26d7-11d3-4839-9ee7-63c1329bff8c

Narrative

ShrinkLocker ransomware has surfaced, leveraging Windows BitLocker to encrypt files by creating new boot partitions. It targets non-boot partitions, shrinks them, and establishes new boot volumes. Notably, ShrinkLocker has attacked a government entity and companies in the vaccine and manufacturing sectors. Instead of a ransom note, it uses boot partition labels to communicate with victims. Kaspersky advises secure recovery key storage and offline backups to mitigate risks.

Detections

Name	Technique	Type
Processes launching netsh	Disable or Modify System Firewall, Impair Defenses	Anomaly
Scheduled Task Deleted Or Created via CMD	Scheduled Task, Scheduled Task/Job	TTP
Suspicious wevtutil Usage	Clear Windows Event Logs, Indicator Removal	TTP
Windows Delete or Modify System Firewall	Impair Defenses, Disable or Modify System Firewall	Anomaly
Windows Event Log Cleared	Indicator Removal, Clear Windows Event Logs	TTP
Windows Modify Registry Configure BitLocker	Modify Registry	TTP
Windows Modify Registry Delete Firewall Rules	Modify Registry	TTP
Windows Modify Registry Disable RDP	Modify Registry	Anomaly
Windows Modify Registry on Smart Card Group Policy	Modify Registry	Anomaly
Windows Modify Registry to Add or Modify Firewall Rule	Modify Registry	Anomaly
Wscript Or Cscript Suspicious Child Process	Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation	TTP

Reference

• https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
• https://www.techradar.com/pro/security/a-new-ransomware-is-hijacking-windows-bitlocker-to-encrypt-and-steal-files
• https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/
• https://securelist.com/ransomware-abuses-bitlocker/112643/

source | version: 1