Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

A new ransomware is hijacking Windows BitLocker to encrypt and steal files

Ransomware .

Cybersecurity researchers have uncovered a new ransomware strain that abuses Windows BitLocker to lock victims out of their devices.

As reported by BleepingComputer, Kaspersky dubbed the new ransomware ShrinkLocker because once it hits, it shrinks available non-boot partitions by 100 MB and creates new primary boot volumes of the same size. Then it uses BitLocker, a full disk encryption feature included with some versions of Microsoft Windows, to encrypt the files on the target endpoint. 

It has so far been seen hitting government agencies, and firms in manufacturing and pharmaceuticals.

Maximum damage

For the uninitiated, BitLocker is a legitimate Windows feature, designed to protect data by providing encryption for entire volumes.

ShrinkLocker is not the first ransomware variant that uses BitLocker to encrypt the systems. BleepingComputer stressed that a hospital in Belgium was struck with a ransomware strain that used BitLocker to encrypt 100TB of data on 40 servers, and in 2022, a meat producer and distributor in Russia called Miratorg Holding, suffered a similar fate. 

But ShrinkLocker also comes "with previously unreported features to maximize the damage of the attack," Kaspersky warned.

Among other things, the encryptor does not drop a ransom note, which is standard practice. Instead, it labels new boot partitions as email addresses, likely inviting the victims to try and communicate that way.

Furthermore, following the successful encryption, the ransomware will delete all BitLocker protectors, denying the victims any options to recover the BitLocker encryption key. The only person(s) holding the key are the attackers, which obtain it through TryCloudflare. This is also a legitimate tool, which developers use to test CloudFlare’s tunnel, without needing to add a site to CloudFlare’s DNS.

So far, the unnamed threat actors compromised systems belonging to steel and vaccine manufacturing organizations in Mexico, Indonesia, and Jordan.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.