Summary:
ShrinkLocker is a newly identified ransomware strain that encrypts corporate systems through Windows BitLocker by creating a new boot partition. Targeting sectors such as government, vaccine, and manufacturing, ShrinkLocker operates by shrinking non-boot partitions to form a new boot volume. Unlike previous ransomware, ShrinkLocker is designed with advanced features to maximize its destructive capability. Written in VBScript, the ransomware identifies the specific Windows version running on the target machine and proceeds with the attack only if certain conditions are met. If the target matches the criteria, ShrinkLocker uses the diskpart utility to shrink non-boot partitions and create new primary volumes of the same size.vThe ransomware then reinstalls boot files on these newly created partitions using the BCDEdit command-line tool.

Security Officer Comments:
Additionally, it modifies registry settings to disable remote desktop connections and enable BitLocker encryption on systems without a Trusted Platform Module TPM. Instead of dropping a ransom file, ShrinkLocker provides contact emails in the new boot partition label, which is challenging for administrators to detect. After encryption, the ransomware deletes BitLocker protectors, making recovery impossible. Kaspersky has discovered multiple variants of ShrinkLocker used against various organizations, including government entities and industries in Mexico, Indonesia, and Jordan.

Suggested Corrections:
Companies are encouraged to use BitLocker or other encryption tools (such as VeraCrypt) to protect corporate secrets. However, a few precautions must be taken to avoid the abuse by attackers.