BleepingComputer has reported the emergence of a new ransomware strain called ShrinkLocker, which exploits the BitLocker drive encryption feature in Windows to carry out its attacks. ShrinkLocker works by shrinking non-boot partitions to 100 MB, creating new boot volumes, and then using BitLocker to encrypt the data on the device. Unlike typical ransomware, ShrinkLocker does not leave ransom text files; instead, it names new boot partitions with email addresses for victims to contact.
Once the encryption is complete, ShrinkLocker removes all BitLocker protections, making it impossible for the victim to recover the encryption key. The attacker holds the decryption key and demands a ransom for the victim to regain access to their data. Although BitLocker is a legitimate security feature in Windows, ShrinkLocker exploits it to cause significant harm.
Notably, ShrinkLocker is not the first ransomware to utilize BitLocker for system encryption. Previous incidents include an attack on a hospital in Belgium and a meat producer and distributor in Russia. More recently, ShrinkLocker has targeted organizations in Mexico, Indonesia, and Jordan, including steel and vaccine manufacturers. Security experts caution that ShrinkLocker represents a new and dangerous threat, and urge users to update their security measures to protect against this dangerous ransomware strain.
