Analytics Story: ShrinkLocker

Date: 2024-06-17 ID: 11fb26d7-11d3-4839-9ee7-63c1329bff8c Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

ShrinkLocker is a new ransomware that uses Windows BitLocker to encrypt files by creating new boot partitions. It targets non-boot partitions, shrinks them, and creates new boot volumes. ShrinkLocker has attacked a government entity and companies in the vaccine and manufacturing sectors. The ransomware doesn't drop a ransom note but uses the boot partition label to provide contact emails for the attackers. Kaspersky researchers emphasize secure recovery key storage and offline backups to mitigate such threats.

Why it matters

ShrinkLocker ransomware has surfaced, leveraging Windows BitLocker to encrypt files by creating new boot partitions. It targets non-boot partitions, shrinks them, and establishes new boot volumes. Notably, ShrinkLocker has attacked a government entity and companies in the vaccine and manufacturing sectors. Instead of a ransom note, it uses boot partition labels to communicate with victims. Kaspersky advises secure recovery key storage and offline backups to mitigate risks.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Processes launching netsh Disable or Modify System Firewall Anomaly
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Suspicious wevtutil Usage Clear Windows Event Logs TTP
Windows BitLocker Suspicious Command Usage Data Encrypted for Impact, Inhibit System Recovery TTP
Windows Delete or Modify System Firewall Disable or Modify System Firewall Anomaly
Windows Event Log Cleared Clear Windows Event Logs TTP
Windows Modify Registry Configure BitLocker Modify Registry TTP
Windows Modify Registry Delete Firewall Rules Modify Registry TTP
Windows Modify Registry Disable RDP Modify Registry Anomaly
Windows Modify Registry on Smart Card Group Policy Modify Registry Anomaly
Windows Modify Registry to Add or Modify Firewall Rule Modify Registry Anomaly
Wscript Or Cscript Suspicious Child Process Process Injection, Parent PID Spoofing, Create or Modify System Process TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 14 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 1102 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 104 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1