Romanian cybersecurity company Bitdefender has released a free decryptor to assist organizations hit by the ShrinkLocker ransomware. The new tool allows victims to recover files encrypted by ShrinkLocker, which utilizes Microsoft’s BitLocker for encryption instead of custom encryption methods.
ShrinkLocker, which first came to light in May 2024, exploits the Windows utility for the data encryption BitLocker to lock files and demand ransoms from its victims.
Bitdefender’s analysis revealed that ShrinkLocker’s operators have targeted an unnamed healthcare company in the Middle East. The attack reportedly originated from a machine belonging to an external contractor.
Following initial access, the attackers escalated privileges, moving laterally to an Active Directory domain controller by using compromised credentials. They then set up two scheduled tasks to deploy the ransomware. The first task executed a Visual Basic Script (“Check.vbs”), copying the ransomware to all machines within the domain. The second task, scheduled to run two days later, launched the actual encryption process through a file named “Audit.vbs.”
ShrinkLocker ransomware targets systems running Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019. The malware collects information on system configurations and operating systems before determining if BitLocker is installed. If BitLocker is absent, the malware attempts to install it through PowerShell, followed by a forced system reboot using Win32Shutdown. However, Bitdefender discovered a bug that occasionally prevents the reboot from occurring, causing the ransomware to become stuck in an infinite loop with a “Privilege Not Held” error.