Romanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware.
The decryptor is the result of a comprehensive analysis of ShrinkLocker's inner workings, allowing the researchers to discover a "specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted disks."
ShrinkLocker was first documented in May 2024 by Kaspersky, which found the malware's use of Microsoft's native BitLocker utility for encrypting files as part of extortion attacks targeting Mexico, Indonesia, and Jordan. It appears to have been adapted from benign ten-year-old code.
Bitdefender, which investigated a ShrinkLocker incident targeting an unnamed healthcare company in the Middle East, said the attack likely originated from a machine belonging to a contractor, once again highlighting how threat actors are increasingly abusing trusted relationships to infiltrate the supply chain.
In the next stage, the threat actor moved laterally to an Active Directory domain controller by making use of legitimate credentials for a compromised account, followed by creating two scheduled tasks for activating the ransomware process.
While the first task executed a Visual Basic Script ("Check.vbs") that copied the ransomware program to every domain-joined machine, the second task – scheduled for two days later — executed the locally deployed ransomware ("Audit.vbs").
The attack, Bitdefender said, successfully encrypted systems running Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019. That said, the ShrinkLocker variant used is said to be a modified version of the original version.
Described as simple yet effective, the ransomware stands out for the fact that it's written in VBScript, a scripting language that Microsoft said is being deprecated starting the second half of 2024. Plus, instead of implementing its own encryption algorithm, the malware weaponizes BitLocker to achieve its goals.
The script is designed to gather information about the system configuration and operating system, after which it attempts to check if BitLocker is already installed on a Windows Server machine, and if not, installs it using a PowerShell command and then performs a "forced reboot" using Win32Shutdown.