Kaspersky Finds New Ransomware Using BitLocker To Encrypt Company Data

Cybersecurity illustration (photo: Kaspersky)

JAKARTA - The Kaspersky Global Emergency Response team has successfully identified a new ransomware attack that uses BitLocker Microsoft for an attempt to encrypt the company's files.

The researchers reported that threat actors used VBScript, the programming language used to automate tasks on Windows computers, to create malicious scripts.

If the OS version is suitable for the attack, the script will change the boot settings and try to encrypt the entire drive using BitLocker.

It creates a new boot partition, which essentially prepares a separate section on a computer drive containing files to boot the operating system.

This action aims to lock up the victim at the next stage. The attacker also removed the shield used to secure the key to the BitLocker encryption so that the victim could not recover it.

The malicious script then sends information about the system and encryption keys generated on compromised computers to servers controlled by threat actors.

After that, he covered up his footprint by deleting logs and various files that served as clues and assisting in the investigation of the attack.

"What is very concerning in this case is that BitLocker, which was originally designed to reduce the risk of theft or data exploitation, has been reused by an enemy for malicious purposes," said Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team.

As a final step, the malware will carry out a forced shutdown of the system. The victim saw the BitLocker screen with the message: There is no longer a BitLocker recovery option on your PC.

Kaspersky dubbed the script as "ShrinkLocker" because this name highlights an important procedure for changing partition sizes, which is important for attackers to ensure the system is properly booting with encrypted files.

"Regular backups, stored offline and tested, are also important protections," Christian said.