Bitdefender releases decryptor tool for ShrinkLocker

Bitdefender has announced the release of a decryptor for the ShrinkLocker ransomware, aiding victims in restoring their files and recovering from attacks.

ShrinkLocker, discovered earlier this year, presents itself as a minimalist yet effective ransomware through its use of VBScript and legacy Windows features. This ransomware operates by modifying BitLocker configurations to encrypt a machine's drives using a randomly generated password which is stored on a server controlled by the attacker. Victims are then directed to pay a ransom for the decryption key.

Bitdefender's investigation reports that ShrinkLocker's code may have been initially created over a decade ago with innocent intent, only recently repurposed for cyberattacks. This unusual ransomware approach could be appealing to independent threat actors due to its simplicity and effectiveness.

The development of Bitdefender's decryptor tool emerged from insights into the ransomware's operation, particularly during the window after removal of BitLocker protectors. Bitdefender shares this tool publicly among its collection of 32 previously released decryptors, aiming to assist in data recovery while highlighting the importance of additional security configurations to mitigate such risks.

In a detailed case study, Bitdefender examined an attack involving a healthcare organisation in the Middle East, revealing the use of ShrinkLocker to target corporate entities rather than individuals. The investigation found the initial breach occurred on an unmanaged system, a common vulnerability exploited by attackers. The threat actor moved laterally within the compromised network using valid credentials, deploying the ransomware across multiple systems efficiently.

Bitdefender's findings underscore the potential threat posed by supply chain attacks, especially those that target third-party relationships rather than direct software vulnerabilities. Such attacks are often underestimated compared to software-based incidents but are highlighted by the investigation as a significant risk factor.

In their analysis of ShrinkLocker, Bitdefender notes the script's reliance on outdated systems and languages, suggesting the code might have initially served a benign purpose before being modified for malicious use. The ransomware's VBScript-based approach and leveraging of BitLocker are atypical of modern threats, marking ShrinkLocker as a unique strain. Detection and prevention against such ransomware attacks can benefit from proactive methods outlined in Bitdefender's advisory. Monitoring specific Windows event logs and configuring Group Policies to store recovery information can contribute to reducing the risk of BitLocker-based attacks.

Bitdefender's extensive recommendations on defending against ransomware emphasise the importance of a multilayered security architecture. Their guidance includes maintaining up-to-date systems, implementing multifactor authentication, and deploying security solutions capable of detecting and responding to threats. Moreover, investing in security operations or managed detection services can significantly mitigate risks by enabling effective alert analysis and response.