S1178 ShrinkLocker
ShrinkLocker is a VBS-based malicious script that leverages the legitimate Bitlocker application to encrypt files on victim systems for ransom. ShrinkLocker functions by using Bitlocker to encrypt files, then renames impacted drives to the adversary’s contact email address to facilitate communication for the ransom payment.12
| Item | Value |
|---|---|
| ID | S1178 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 07 December 2024 |
| Last Modified | 09 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ShrinkLocker uses HTTP POST requests to communicate victim information back to the threat actor.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | ShrinkLocker uses PowerShell to disable protectors used to secure the BitLocker encryption key on victim machines and then delete the key from the system.1 |
| enterprise | T1059.005 | Visual Basic | ShrinkLocker is a VisualBasic script (VBS) object that calls multiple other operating system functions during execution.12 |
| enterprise | T1485 | Data Destruction | ShrinkLocker can initiate a destructive payload depending on the operating system check through resizing and reformatting portions of the victim machine’s disk, leading to system instability and potential data corruption.2 |
| enterprise | T1486 | Data Encrypted for Impact | ShrinkLocker uses the legitimate BitLocker application to encrypt victim files for ransom.12 |
| enterprise | T1491 | Defacement | - |
| enterprise | T1491.001 | Internal Defacement | ShrinkLocker renames disk labels on victim hosts to the threat actor’s email address to enable the victim to contact the threat actor for ransom negotiation.12 |
| enterprise | T1480 | Execution Guardrails | ShrinkLocker will exit its “main” function if the victim domain name does not match provided criteria.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | ShrinkLocker will exfiltrate victim system information along with the encryption key via an HTTP POST.12 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | ShrinkLocker disables protectors used to secure the BitLocker encryption key on victim systems.12 |
| enterprise | T1562.004 | Disable or Modify System Firewall | ShrinkLocker turns on the system firewall and deletes all of its rules during execution.12 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | ShrinkLocker calls Wevtutil to clear the Windows PowerShell and Microsoft-Windows-Powershell/Operational logs.1 |
| enterprise | T1070.004 | File Deletion | ShrinkLocker can delete itself depending on various checks performed during execution.1 |
| enterprise | T1112 | Modify Registry | ShrinkLocker modifies various registry keys associated with system logon and BitLocker functionality to effectively lock-out users following disk encryption.12 |
| enterprise | T1057 | Process Discovery | ShrinkLocker checks whether the Bitlocker Drive Encryption Tools service is running.2 |
| enterprise | T1082 | System Information Discovery | ShrinkLocker uses WMI queries to gather various information about the victim machine and operating system.12 |
| enterprise | T1016 | System Network Configuration Discovery | ShrinkLocker captures the IP address of the victim system and sends this to the attacker following encryption.1 |
| enterprise | T1529 | System Shutdown/Reboot | ShrinkLocker can restart the victim system if it encounters an error during execution, and will forcibly shutdown the system following encryption to lock out victim users.1 |
| enterprise | T1124 | System Time Discovery | ShrinkLocker retrieves a system timestamp that is used in generating an encryption key.2 |
| enterprise | T1102 | Web Service | ShrinkLocker uses a subdomain on the legitimate Cloudflare resource “trycloudflare[.]com” to obfuscate the threat actor’s actual address and to tunnel information sent from victim systems.1 |
| enterprise | T1047 | Windows Management Instrumentation | ShrinkLocker uses WMI to query information about the victim operating system.1 |
References
-
Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Splunk Threat Research Team , Teoderick Contreras. (2024, September 5). ShrinkLocker Malware: Abusing BitLocker to Lock Your Data. Retrieved December 7, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩