Ransomware Exploits Microsoft's BitLocker to Encrypt Corporate Files, Kaspersky Reports

BitLocker Becomes a Double-Edged Sword: Kaspersky Uncovers Ransomware Exploiting Microsoft's Encryption Feature

Cybersecurity firm Kaspersky has uncovered a new ransomware campaign that exploits Microsoft's BitLocker encryption feature to lock companies out of their own files. The incidents, involving a malware dubbed "ShrinkLocker," have been observed in Mexico, Indonesia, and Jordan, targeting companies in the steel and vaccine manufacturing sectors, as well as a government entity.

The threat actors behind the attack employ a malicious VBScript, a programming language used for task automation on Windows computers, to maximize the damage inflicted. Kaspersky's Global Emergency Response team reports that the script's novel feature is its ability to detect the installed Windows version and enable BitLocker accordingly, allowing it to infect systems ranging from the latest releases to legacy versions as far back as Windows Server 2008.

When the script determines that the operating system is vulnerable, it proceeds to alter the boot settings and attempts to encrypt entire drives using BitLocker. By establishing a new boot partition, the attackers aim to lock the victim out of their system. To further complicate recovery efforts, the script deletes the protectors used to secure BitLocker's encryption key.

The malicious script then transmits information about the compromised system and the generated encryption key to a server controlled by the threat actors. In an effort to cover its tracks, the malware deletes logs and various files that could aid in the investigation of the attack.

As a final blow, the script forces a system shutdown, facilitated by the creation and reinstallation of files in the separate boot partition. Victims are confronted with a BitLocker screen displaying the message: "There are no more BitLocker recovery options on your PC."

Cristian Souza, an Incident Response Specialist at Kaspersky's Global Emergency Response Team, expressed concern over the repurposing of BitLocker, a security measure designed to mitigate data theft and exposure risks, for malicious purposes. "It's a cruel irony that a security measure has been weaponized in this way," Souza stated. "For companies using BitLocker, it's crucial to ensure strong passwords and secure storage of recovery keys. Regular backups, kept offline and tested, are also essential safeguards."

To prevent attackers from exploiting this vulnerability, Kaspersky experts recommend implementing robust, properly configured security software, Managed Detection and Response (MDR) services, limiting user privileges, enabling network traffic logging and monitoring, and closely monitoring VBScript and PowerShell execution events.

As cybercriminals continue to evolve their tactics, exploiting even the most well-intentioned security features, organizations must remain vigilant and proactive in their approach to cybersecurity. The ShrinkLocker ransomware serves as a stark reminder of the importance of comprehensive security measures and the need for constant adaptation in the face of an ever-changing threat landscape.