ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again

Imagine a ransomware attack that's so old-school it's using VBScript and a built-in Windows feature for encryption. ShrinkLocker (discovered in May 2024) is a surprisingly simple yet effective ransomware that uses relics from the past.  

Unlike most modern ransomware, which relies on sophisticated encryption algorithms, ShrinkLocker takes a simpler, more unconventional approach. ShrinkLocker modifies BitLocker configurations to encrypt a system's drives. It first checks if BitLocker is enabled and, if not, installs it. Then, it re-encrypts the system using a randomly generated password. This unique password is uploaded to a server controlled by the attacker. After the system reboots, the user is prompted to enter the password to unlock the encrypted drive. The attacker's contact email is displayed on the BitLocker screen, directing victims to pay a ransom for the decryption key.  

By using a combination of Group Policy Objects (GPOs) and scheduled tasks, it can encrypt multiple systems within a network in as little as 10 minutes per device. As a result, a complete compromise of a domain can be achieved with very little effort, as demonstrated in one of our investigations. This simplicity makes the attack particularly attractive to individual threat actors who may not be part of a larger ransomware-as-a-service (RaaS) ecosystem.  

Leave a Comment