1. Home
  2. >
  3. Industry
  4. >

Kaspersky Discovers ShrinkLocker Ransomware Variant

By:Emma

TapTechNews May 25th news, Kaspersky company released a security blog post, stating that a variant of the ShrinkLocker ransomware was found in Mexico, Indonesia and Jordan, currently only targeting commercial PCs such as organizations and manufacturing industries, encrypting and extorting by abusing BitLocker.

Kaspersky Discovers ShrinkLocker Ransomware Variant_0

The special thing about ShrinkLocker is that it uses VBScript (an old version of Windows programming script that has been abandoned since Windows 11 24H2) to identify the specific Windows operating system used by the host PC.

The malicious script will run the BitLocker settings specific to the operating system and enable BitLocker correspondingly on PCs running Vista or Windows Server 2008 or later versions. If the operating system is too old, ShrinkLocker will be automatically deleted without leaving any traces.

Kaspersky Discovers ShrinkLocker Ransomware Variant_1

Kaspersky Discovers ShrinkLocker Ransomware Variant_2

ShrinkLocker will shrink all hard disk partitions by 100MB and use the stolen space to create a new boot partition and name it Shrink Locker.

ShrinkLocker will also delete all protectors used to protect the encryption key, making it impossible for the victim to recover the encryption key later. The script will create a 64-character random encryption key and send it along with other information about the computer to the attacker, delete the log storing the ShrinkLocker activity, and finally force the computer to shut down, completely locking and encrypting all disks on the computer using the newly created boot partition.

Kaspersky Discovers ShrinkLocker Ransomware Variant_3

Once a device is infected with the ShrinkLocker ransomware, the hard disk often becomes bricked. Kaspersky believes that the makers of the ShrinkLocker attack must have a wide understanding of various obscure Windows internals and utilities in order to create an attack that leaves almost no traces.

Kaspersky's experts could not find any way to identify the attack source or information sending source, but they did find the ShrinkLocker script on a single hard disk of an affected PC that was not configured with BitLocker.

TapTechNews attached for reference

Kaspersky ShrinkLocker ransomware BitLocker

Likes