Bitdefender has released a tool to unlock and unencrypt impacted PCs following the ShrinkLocker ransomware attack, which encrypts hard drives and uses extortion techniques to demand money for data recovery.
In 2024, ShrinkLocker and its variants were observed globally targeting Windows computers that haven’t been encrypted by BitLocker or other programs, regardless of industry. Techopedia interviewed Bitdefender about its development, operation, and targeting of computers using an almost extinct programming language.
The Way ShrinkLocker Targets Computers
ShrinkLocker, a ransomware variant, has already impacted government agencies in Mexico and Indonesia, as well as sectors like steel, pharmaceuticals, and vaccines. Bitdefender released the decryption key for the ransomware on November 13. The link is provided for immediate access.
ShrinkLocker, discovered in May 2024, uses VBScript and Windows’s full disk encryption feature to jumble up disk data. It uses no advanced algorithm, making it easy to attack. Threat actors first check if BitLocker is enabled on the compromised device, then install it if not. They then encrypt the entire system drive using the full disk encryption feature, generate a random password, and send it to the server controlled by the C2 attacker.
During Windows recovery, ShrinkLocker victims’ screens turn blue, leaving them wondering what happened. The attackers leave their email address on the screen, and ransomware gangs claim their files are gone without the decryption key. Bitdefender disputes this, stating that data is not lost if affected by ShrinkLocker, and decryption is feasible.
A Code for Ransomware Written in an Outdated Language
The ShrinkLocker code, created over a decade ago, is being updated by skilled ransomware developers using new programming languages like Go or Rust. Martin Zugec, Technical Solutions Director at Bitdefender, emphasized that even older, less advanced techniques can pose significant threats.
Microsoft created VBScript, also known as Visual Basic Scripting Edition, a scripting language that was formerly extensively used to automate processes on Windows systems. When more potent scripting languages like PowerShell appeared, this comparatively easy-to-learn and use language became obsolete. Microsoft even formally declared that VBScript would be deprecated in 2024 with Windows 11.
The ShrinkLocker ransomware team has repurposed an obsolete language, BitLocker, to explain its changes over time. BitLocker, Windows built-in drive encryption, has evolved from partially manual to fully automated and integrated installations, potentially explaining the change in the previous script.
Let’s Discuss Decryption Keys for Ransomware
Europol’s “No More Ransom” website, a 37-language initiative, provides over 120 encryption keys for over 150 ransomware variants. These keys have been utilized by over 6 million victims worldwide. The decryption tools are particularly useful for those who have been compromised by the specific ransomware variant, making them invaluable for those affected.
Bitdefender’s Zugec emphasizes the importance of implementing a strong, multilayered defense-in-depth strategy to reduce risks from past, present, and future ransomware attacks. However, he acknowledges that attackers can alter ransomware strains that law enforcement and security agencies have cracked.
Since unmanaged devices have been the source of almost 70% of security issues that Bitdefender’s MDR team has looked into, combating ransomware necessitates a thorough understanding of how to secure these systems.
What Kind of Attacks Will Be Simple or Complex in the Next Wave of Ransomware?
In recent months, cybersecurity researchers have observed the emergence of the concept of simplicity. Although less complex methods of file encryption and breaching can be low-risk and high-value strategies, are they becoming more and more popular? The similar question was posed to Bitdefender researchers during their ShrinkLocker investigation.
Bitdefender’s Zugec predicts that cybersecurity challenges include distinguishing between hype and reality and that large language models’ potential to create sophisticated malware is not yet evident.
Bitdefender finds nearly 500,000 new malware versions daily, so there’s no concern about LLMs being used to write dangerous code. However, LLMs can generate revenue for threat actors and promote less technical attacks like business email compromise (BEC), according to Zugec.
The Bottom Line
Simpler attacks are emerging as a secondary trend in ransomware and cyberattacks, as they exploit fundamental elements often overlooked by businesses. These include phishing lures, weak passwords, outdated software, and basic cybersecurity procedures. Therefore, security teams must maintain their fundamental cybersecurity concepts when implementing advanced security solutions.
