A legitimate Windows security feature has become a tool for hackers.
Kaspersky Lab experts have identified attacks on corporate devices using a new ShrinkLocker ransomware program that uses BitLocker. BitLocker is a security feature in Windows that allows you to protect data using encryption. The attacks targeted industrial and pharmaceutical companies, as well as government agencies.
Attackers created a malicious script in VBScript. This script checks which version of Windows is installed on the device and activates the BitLocker functionality accordingly. ShrinkLocker can infect both new and old OS versions, up to and including Windows Server 2008.
The script changes the boot parameters of the operating system, and then tries to encrypt hard disk partitions using BitLocker. A new boot partition is created so that you can boot the encrypted computer later. Attackers also remove the security tools used to protect the BitLocker encryption key, so that the user can't recover them later.
Then the malicious script sends information about the system and the encryption key generated on the infected computer to the attackers server. Then it "covers its tracks": it deletes logs and various files that can help in investigating the attack.
At the final stage, ShrinkLocker forcibly blocks access to the system. The victim sees a message on the screen: "There are no BitLocker recovery options available on your computer."
Kaspersky experts recommend that companies use strong passwords, store BitLocker keys securely, back up their data, and apply solutions for early threat detection and incident investigation.
Kaspersky Lab experts have identified attacks on corporate devices using a new ShrinkLocker ransomware program that uses BitLocker. BitLocker is a security feature in Windows that allows you to protect data using encryption. The attacks targeted industrial and pharmaceutical companies, as well as government agencies.
Attackers created a malicious script in VBScript. This script checks which version of Windows is installed on the device and activates the BitLocker functionality accordingly. ShrinkLocker can infect both new and old OS versions, up to and including Windows Server 2008.
The script changes the boot parameters of the operating system, and then tries to encrypt hard disk partitions using BitLocker. A new boot partition is created so that you can boot the encrypted computer later. Attackers also remove the security tools used to protect the BitLocker encryption key, so that the user can't recover them later.
Then the malicious script sends information about the system and the encryption key generated on the infected computer to the attackers server. Then it "covers its tracks": it deletes logs and various files that can help in investigating the attack.
At the final stage, ShrinkLocker forcibly blocks access to the system. The victim sees a message on the screen: "There are no BitLocker recovery options available on your computer."
Kaspersky experts recommend that companies use strong passwords, store BitLocker keys securely, back up their data, and apply solutions for early threat detection and incident investigation.
