2024-09-05 Splunk: ShrinkLocker Malware: Abusing BitLocker to Lock Your Data
ShrinkLocker is a newly discovered ransomware strain that exploits BitLocker, a legitimate Windows feature, to encrypt data by locking users out of their systems. Unlike traditional ransomware, ShrinkLocker leverages BitLocker's secure boot partition to make decryption extremely challenging. The malware initiates its attack by identifying the operating system and determining whether it’s a suitable target. It modifies key system registry settings, particularly those related to Remote Desktop Protocol (RDP) and Trusted Platform Module (TPM), to suit its objectives. After disabling BitLocker key protectors, ShrinkLocker shrinks non-boot partitions by 100MB, formats these partitions, and reconfigures boot files to destabilize the system, potentially rendering it irreparable. The malware also exfiltrates data to a command-and-control server and attempts to erase traces of its activity by deleting logs, firewall rules, and scheduled tasks.
Download
File Information
d4f2c5b21e96cfef0fc4e5acb6bde30113d1c8c7522f35d99102de886ed337b3 disk.vbs_
32f31b35179bbff9ca9dd21b43bfc3e585baafedde523bd3e4869400ab0362cb Dim oShell.txt (vba)
7662aeae889c350bdabdcc89ccc4c117e0fffdc06933dd7058946fa74a0842bb run.vbs
Malware Repo Links
- Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
No comments:
Post a Comment