A Kaspersky identified new ransomware attacks that use the BitLockerlegitimate tool of Microsoftto try to encrypt corporate files. The scammers remove recovery options, preventing files from being restored, and use a malicious script with a new functionality: adapting to different versions of Windows. Cybercriminals have targeted companies in the industrial sector, vaccine manufacturers and government entities. “ShrinkLocker” attacks have been detected in Mexico, Indonesia and Jordan.
BitLocker is a Microsoft security tool that is present in the Windows operating system. Its main function is to protect data stored on the computer’s hard drive, preventing unauthorized people from accessing this information. By encrypting files, criminals transform the stored data into a secret code, which makes it impossible for the user to access it.
How does the attack occur?
The attackers use VBScript – a programming language used to automate tasks on Windows computers – to create a malicious script. What’s new about these attacks is that they check the current version of the operating system installed and activate BitLocker features accordingly. As such, the code is believed to be capable of infecting both new and older systems, including versions up to Windows Server 2008.
If the system version is suitable for the attack, the script changes its settings in order to block the victim’s access. The scammers also delete the protections used to support BitLocker, thus ensuring that the person cannot recover the files.
The final step of this malware leads to a forced shutdown of the system, leaving the following message on the screen: “There are no more BitLocker recovery options on your computer”.
What is particularly worrying about this case is that BitLocker, originally designed to mitigate the risk of data theft or exposure, has been repurposed by criminals for malicious purposes. It is a cruel irony that a security measure has been weaponized in this way. For companies using the tool, it is crucial to ensure strong passwords and secure storage of recovery keys. Regular backups, kept offline and tested, are also essential.“, explains Cristian Souza, Incident Response Specialist at Kaspersky’s Global Emergency Response Team (GERT).
Detailed technical analysis of these incidents is available on Securelist. Kaspersky experts recommend the following measures:
- Use robust and properly configured security software to detect threats that attempt to use BitLocker. Use a solution that can proactively scan for threats;
- Limit the privileges of those using the network and prevent unauthorized activation of encryption features or modification of registry keys;
- Enable network traffic logging and monitoring, as infected systems may transmit passwords or keys to scammer domains;
- Monitor VBScript and PowerShell execution events, saving the recorded scripts and commands to an external repository to retain suspicious activity.
Source: https://www.hardware.com.br/noticias/novo-ransomware-usa-ferramenta-de-seguranca-da-microsoft-para-encriptar-dados-corporativos.html