{
	"id": "3cd25366-c5c4-4daa-9503-1609fd5c916a",
	"created_at": "2026-04-06T00:07:49.464727Z",
	"updated_at": "2026-04-10T13:12:35.640521Z",
	"deleted_at": null,
	"sha1_hash": "f264cb59021f18e3adc6808f4ba436ff42916434",
	"title": "ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6686437,
	"plain_text": "ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again\r\nBy Martin Zugec\r\nArchived: 2026-04-05 22:03:36 UTC\r\nImagine a ransomware attack that's so old-school it's using VBScript and a built-in Windows feature for\r\nencryption. ShrinkLocker (discovered in May 2024) is a surprisingly simple yet effective ransomware that uses\r\nrelics from the past. \r\nUnlike most modern ransomware, which relies on sophisticated encryption algorithms, ShrinkLocker takes a\r\nsimpler, more unconventional approach. ShrinkLocker modifies BitLocker configurations to encrypt a system's\r\ndrives. It first checks if BitLocker is enabled and, if not, installs it. Then, it re-encrypts the system using a\r\nrandomly generated password. This unique password is uploaded to a server controlled by the attacker. After the\r\nsystem reboots, the user is prompted to enter the password to unlock the encrypted drive. The attacker's contact\r\nemail is displayed on the BitLocker screen, directing victims to pay a ransom for the decryption key. \r\nBy using a combination of Group Policy Objects (GPOs) and scheduled tasks, it can encrypt multiple systems\r\nwithin a network in as little as 10 minutes per device. As a result, a complete compromise of a domain can be\r\nachieved with very little effort, as demonstrated in one of our investigations. This simplicity makes the attack\r\nparticularly attractive to individual threat actors who may not be part of a larger ransomware-as-a-service (RaaS)\r\necosystem. \r\nAs we investigated ShrinkLocker, we discovered a surprising truth: this code may have been written over a decade\r\nago, likely for benign purposes. It's a digital time capsule that has been repurposed for malicious intent. While\r\nother security researchers have analyzed ShrinkLocker, their findings often fall short of accurately describing its\r\nbehavior in modern network environments. For instance, even the malware's name, 'ShrinkLocker,' is misleading,\r\nas it doesn't actually shrink partitions on current operating systems. \r\nOne of our biggest concerns was whether this attack vector could become a new trend. After all, it's a relatively\r\nsimple concept that even a less experienced programmer could implement. Fortunately, our investigation\r\nuncovered some positive news: it's possible to develop a decryptor and even configure BitLocker to mitigate these\r\nattacks. By sharing our findings, we hope to assist security practitioners and researchers in understanding and\r\nmitigating the risks associated with this type of attack. \r\nFor those not looking to dive into the full analysis below, we've also covered this in a LinkedIn Live event.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 1 of 22\n\nDecrypting ShrinkLocker \r\nAs ransomware evolves, attackers are leveraging advanced techniques, including leaked source code from\r\nprofessional ransomware-as-a-service groups and modern programming languages like Rust and Go. This makes it\r\nincreasingly difficult to develop decryption tools solely through reverse engineering. However, in the case of\r\nShrinkLocker, we've identified a specific window of opportunity for data recovery immediately after the removal\r\nof protectors from BitLocker-encrypted disks. We decided to make this decryptor publicly available, adding to our\r\ncollection of 32 previously released decryption tools. \r\n1. Download the decryption tool from\r\nhttps://download.bitdefender.com/am/malware_removal/BDShrinkLockerUnlocker.exe\r\n2. Turn on your computer and wait for the BitLocker recovery screen to appear. When prompted for the BitLocker\r\nrecovery key, press Esc to enter BitLocker Recovery Mode. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 2 of 22\n\n3. On the BitLocker Recovery screen, select \"Skip this drive\". \r\n4. Choose \"Troubleshoot\" and then \"Advanced options\". \r\n5. Select \"Command Prompt\" from the advanced options menu. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 3 of 22\n\n6. Ensure you have the BDShrinkLockerUnlocker.exe file prepared. You can transfer it to a USB drive and plug it\r\ninto your computer. In the command prompt, navigate to the drive letter where the decryptor is located (e.g., D:\\). \r\n7. Type the following command and press Enter: D:\\BDShrinkLockerUnlocker.exe \r\nNote: You can disconnect the USB drive after launching the decryptor.\r\n8. The decryption process can take some time, depending on your system's hardware and the complexity of the\r\nencryption. Please be patient. Once the decryption is complete, decryptor will automatically unlock the drive and\r\ndisable smart card authentication. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 4 of 22\n\n9. After rebooting, your computer should start normally.\r\nDecryptor tools are inherently reactive, often limited to specific timeframes or software versions. Additionally,\r\nwhile they can restore access to encrypted data, they don't prevent threat actors from trying again with more\r\nsuccess. We strongly recommend reviewing our Recommendations section for additional guidance, including\r\nspecific tips on configuring BitLocker to minimize the risk of successful attacks. \r\nAnatomy of an Attack \r\nPrevious public reports have been unclear about whether ShrinkLocker primarily targets individuals or companies.\r\nOur investigation into an incident involving a healthcare company in the Middle East sheds light on this aspect,\r\nrevealing that the attackers were targeting a corporate entity.  \r\nThis section provides an overview of the specific case of ShrinkLocker attack, focusing on the broader attack\r\nmethodology rather than the specific malware variant used. A detailed malware analysis follows in the next\r\nsection. \r\nThe initial infiltration occurred on an unmanaged system, a common starting point for attacks. Approximately\r\n70% of incidents investigated by our MDR team have begun on unmanaged devices, highlighting the significant\r\nrisk posed by these systems. While the exact root source remains unknown, there is suspicion that the attack\r\noriginated from a machine belonging to one of the contractors. This incident underscores the growing threat of\r\nsupply chain attacks, which often exploit vulnerabilities in third-party systems or relationships. While software-based supply chain attacks are often highlighted, this type of attack, targeting relationships rather than software, is\r\nfar more common and often underestimated. \r\nThe threat actor moved laterally to an Active Directory domain controller using valid credentials for a\r\ncompromised account. While on the domain controller, they created several text files (whose contents are\r\nunknown) and initiated another remote session, this time from the domain controller to a backup server. These\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 5 of 22\n\nactions suggest that the attacker was likely conducting reconnaissance or evaluating the potential for data\r\nexfiltration. \r\nThe following day, two scheduled tasks were created on the Active Directory domain controller. Both tasks were\r\ncreated by the same user who had previously accessed the domain controller, but they were executed under the\r\nSYSTEM context. Group Policy Preferences under Default Domain Policy was modified to create tasks on every\r\ndomain-joined machine, ensuring widespread deployment of the ransomware. Interestingly, wscript.exe rather\r\nthan cscript.exe has been used to launch these scripts. \r\nThe first task ADHelathCheck, set to run at 9:23 PM UTC that day, executed a script file named Check.vbs from a\r\nshared location %SYSVOL%\\%USERDNSDOMAIN%\\Scripts. This script copied the ransomware script, also\r\nlocated on the shared location, to C:\\ProgramData\\Microsoft\\Windows\\Templates folder on every domain joined\r\nmachine. \r\nThe second task ADHelathAudit, scheduled for two days later at 9:10 AM UTC, executed the locally deployed\r\nransomware script named Audit.vbs (MD5: 2b72beb806acd35ba0d566378115346c). Approximately 40 minutes\r\nbefore the encryption process began, another RDP connection was established from the compromised user's\r\ndevice to the domain controller, likely to monitor the progress of the attack. The encryption task was completed at\r\n11:45 AM UTC, taking approximately 2.5 hours to finish. \r\nThis attack was successful in encrypting systems running various operating systems, including Windows 10,\r\nWindows 11, Windows Server 2016, and Windows Server 2019. \r\nThe ShrinkLocker variant used in this attack appears to be a modified version of the original script, created by a\r\ndifferent author. This is not uncommon, as various threat actors have adapted and evolved the malware to suit their\r\nspecific needs and objectives. While some changes are expected, such as alterations to the command-and-control\r\n(C2) infrastructure, there are a few notable differences in this particular variant: \r\nTargeted Attack: The inclusion of a hardcoded check for the domain name indicates that this attack was\r\nspecifically targeted at the organization. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 6 of 22\n\nModified Registry Changes: The use of \"WMIC.exe\" instead of \"reg.exe add\" to make registry changes\r\ndemonstrates a preference for different tools or techniques, potentially indicating a different skillset or\r\nbackground. \r\nInconsistent Scripting: The presence of typos in the scheduled task names and redundant code sections\r\nsuggests that the threat actor may not have been a highly skilled programmer. This could indicate that the\r\nmalware was adapted by a less sophisticated attacker, possibly a lone wolf rather than a sophisticated threat\r\ngroup. \r\nAs the barrier to entry for using and modifying ShrinkLocker is relatively low, it makes it accessible to a wider\r\nrange of attackers. Our analysis shows that ShrinkLocker malware is being adapted by multiple individual threat\r\nactors for simpler attacks, rather than being distributed through a ransomware-as-a-service (RaaS) model.\r\nShrinkLocker Analysis \r\nWe understand that this section may be lengthy, but ShrinkLocker is an unusual ransomware threat. Analyzing it\r\nwas both fascinating and frustrating. If technical details aren't your thing, please don't skip the “Conclusion and\r\nRecommendations” section. We've packed it full of practical advice and helpful tips. \r\nShrinkLocker is an unusual ransomware threat for two reasons: it’s written in VBScript, and it leverages\r\nBitLocker to encrypt and lock down victim systems. This approach is atypical of modern ransomware, suggesting\r\neither a unique strategy or a less sophisticated threat actor. Several companies have published detailed analyses of\r\nShrinkLocker. While these analyses have been comprehensive, they often focused on specific technical aspects\r\nrather than explaining how the malware is likely to be used in real-world attacks. \r\nIn our analysis, we are focusing solely on currently supported operating systems. This is because around 70% of\r\nthe ShrinkLocker code is hardcoded to be only executed on legacy systems like Windows 7/8 or Windows Server\r\n2008/2012. This legacy code is often non-functional due to poor quality assurance – for example conditional\r\nprocessing that is never evaluated as true. Even the malware's namesake functionality - shrinking partitions - is\r\nseverely limited to very old systems. Not only is this feature hardcoded for legacy systems, but it also requires the\r\nsystem volume to have a drive letter assigned, a behavior that was changed starting with Windows Server 2012. \r\nOne possible explanation for this legacy focus is that the code was originally developed for other purposes and\r\nonly later adapted for malicious use. This would explain not only the inclusion of extensive code for outdated\r\noperating systems without any explicit checks for newer versions (the latest version mentioned is “2012”), but\r\nalso the choice of VBScript as scripting language of choice. \r\nMicrosoft has officially announced the deprecation of VBScript starting with Windows 11 2024 H2, further\r\nemphasizing the outdated nature of this scripting language. While VBScript was once commonly used, its\r\nprevalence has significantly declined in recent years (with exception of the immortal slmgr.vbs), making it\r\nunlikely that this malware was recently developed.\r\nScript Initialization\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 7 of 22\n\nThe script begins by initializing variables and creating an object to interact with the Windows Management\r\nInstrumentation (WMI) service. WMI is a common method used throughout the script to gather system\r\ninformation. The code then executes two WMI queries to retrieve information about the computer's system\r\nconfiguration and operating system. This data is stored in colItems and colItems2 collections. The colItems2\r\ncollection is unique to this modified version of the script and is used only to perform the initial domain check. The\r\ncolItems collection is a generic variable that is used multiple times throughout the script to hold various values\r\nfrom different commands. \r\nTarget Validation\r\nThis section of the code checks if the computer is part of a specific domain. This customization demonstrates how\r\nthe malware has been tailored to target the specific organization. The InStr command is used to search for a\r\nparticular substring within another string. If the substring is found (indicated by the \u003e 0 condition), the script does\r\nnothing. This reverse logic, where the absence of a condition triggers the action, is a common pattern throughout\r\nthe code. \r\nCheck for Supported Operating Systems\r\nThis section is a brief check to see if the script is running on a relic from the early 2000s: Windows (Server) 2000,\r\nWindows XP, or Windows Server 2003. As usual, let’s just pretend that Windows ME never existed. If the script is\r\nrunning on an unsupported operating system, it deletes itself (the Audit.vbs file) from the specified location and\r\nthen terminates. \r\nNote: This will be the last time we'll discuss the code specifically targeting legacy systems. The rest of our\r\nanalysis will focus only on the code that applies to currently supported operating systems.\r\nBitLocker Deployment\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 8 of 22\n\nIgnore the highlighted code.\r\nThe purpose of this section is to validate if BitLocker is installed. If it’s not, it attempts to deploy the feature as a\r\nprerequisite for encryption. \r\nWhile the code may seem complex, much of it (highlighted) is irrelevant at this stage. This highlighted section\r\ncontains registry changes related to BitLocker configuration that are not directly involved in the deployment\r\nprocess. The script author's tendency to copy and paste code throughout the script led to the inclusion of this\r\nspecific code block in multiple locations (9 in total). We include this segment only because there are some\r\nunintended consequences that can help defenders. \r\nThe script begins by checking if BitLocker is installed using a WMI query SELECT * From\r\nWin32_OptionalFeature WHERE Name = ‘Bitlocker’. This query is only relevant for Windows Server operating\r\nsystems, as BitLocker is not included as an optional feature in Win32_OptionalFeature class on client systems. On\r\nclient operating systems, this query returns no results, and script continues to the next section. If the query is\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 9 of 22\n\nsuccessful, the script proceeds to deploy BitLocker using the command powershell.exe -Command Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools. \r\nFollowing installation, the script enters a loop to monitor the installation status. Once BitLocker is successfully\r\ninstalled (InstallState = 1), the script attempts to restart the server. However, there is a known bug that prevents the\r\nrestart from completing successfully. \r\nThis behavior presents an opportunity for experienced SOC/MDR teams to identify this as an anomaly: \r\nWindows Server Focus – While it might not be immediately clear, this code is focused on Windows\r\nServer. This whole script block is skipped if BitLocker is already enabled, as is often the case for\r\ncompliance reasons. If you are using other encryption method (such as encrypted SAN for virtual servers),\r\nthis can help you identify an ongoing attack, especially in combination with the other notes from this\r\nsection. \r\nWin32Shutdown Bug – The script will attempt to force restart using Win32Shutdown(6) method (6\r\nidentifies request as a force reboot). But this request fails with “Privilege Not Held” error, leaving the\r\nscript (and parent scheduled task) stuck in never-ending loop. \r\nNo Resume After Reboot: Even if server is rebooted manually (e.g. by unsuspecting administrator), the\r\nscript does not have a mechanism to resume its execution after the reboot, meaning that the attack may be\r\ninterrupted or prevented. \r\nUnintended Registry Modifications: The script modifies several registry keys. While most of these\r\nmodifications are not directly relevant to the BitLocker encryption process at this stage, the changes to\r\nscforceoption and fDenyTSConnections have an impact on system behavior. These registry modifications\r\nare designed to restrict access to the system by disabling remote RDP and local password-based login.\r\nWhile these changes can be easily reversed, their presence can be detected by security teams.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 10 of 22\n\nIn conclusion, if this section of the script is executed on a Windows Server machine without BitLocker deployed,\r\nthe following will occur: \r\nBitLocker will be enabled on the system. \r\nThe script (and scheduled task that triggered it) will become stuck in an infinite loop due to a failed reboot\r\nattempt. \r\nLocal and remote access to the machine will be blocked but can be easily restored. \r\nRandom Password Generation \r\nThere are two code snippets that work together to generate a random string that will be used as a randomized\r\npassword for BitLocker. This random password is based on system-specific information. This makes the password\r\nmore difficult to guess or brute force, as it includes unique characteristics of each compromised system. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 11 of 22\n\nIgnore the .Label for now, we will explain it in the next chapter. \r\nThe first code snippet retrieves information about the network traffic, system memory, and disk utilization. It uses\r\nWMI queries to retrieve data from the Win32_PerfRawData_Tcpip_NetworkInterface, Win32_OperatingSystem\r\nand Win32_ComputerSystem classes. \r\nNetwork Interface Data: \r\nTimestamps (sys, perf) \r\nReceived bytes per second (received) \r\nSent bytes per second (sent) \r\nSystem Memory Data: \r\nTotal visible memory size \r\nFree physical memory \r\nUsed physical memory \r\nDisk Space \r\nUsed space (boot volume) \r\nFree space (boot volume) \r\nThe script then combines these unique system characteristics with the current system time (obtained using the\r\nbuilt-in Timer function) to create a custom seed value. This seed value is then used to override the random number\r\ngenerator (Randomize seed). \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 12 of 22\n\nBy using a custom seed value, the threat actor can make it harder for security analysts to reverse engineer the\r\nattack and potentially avoid detection by security systems that monitor system-generated random numbers. \r\nThe characters string defines the possible characters that can be included in the generated random string, including\r\na variety of alphanumeric characters and symbols (“the quick brown fox jumps over the lazy dog” in both lower\r\nand upper case). \r\nFinally, the script combines the custom seed generator with individual characters to generate the new random\r\npassword. The Rnd function is used to generate a random number between 0 and 90 (the length of the characters\r\nstring). This random number is then used to pick a character from the characters string using the Mid function.\r\nThe For loop iterates 64 times, generating a random character for each iteration. These random characters are then\r\ncombined in a string variable strRandom, representing a unique password that will be used for BitLocker\r\nconfiguration. \r\nPreparing for Encryption \r\nYou may recall from the previous chapter that attackers manipulate the disk label during the password generation\r\nprocess. This is used in place of a traditional ransom note, as the user's entire disk becomes inaccessible. When\r\nrequesting the BitLocker decryption key, the disk label is displayed alongside the machine's hostname. \r\nThe meaning of the 'TEL' prefix in the email address is unclear. However, we've observed similar email addresses\r\nwith the same format, suggesting that each victim may have a unique email assigned for communication with the\r\nthreat actor. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 13 of 22\n\nFinally, there is the final status check of BitLocker service (named \"BDESVC\") using WMI to query the service's\r\nstate and status. If the service is not running or is not in an \"OK\" state, the script attempts to start the service and\r\nthen pauses for 2 seconds to allow the service to start. The script continues to check the service's status in a loop\r\nuntil it is running and in an \"OK\" state. \r\nWe’ve previously explained that the script modifies registry to restrict access to the system by: \r\nDisabling remote RDP connections: The fDenyTSConnections setting prevents users from accessing the\r\nsystem remotely using Remote Desktop Protocol. \r\nDisabling password-based login: The scforceoption setting disables password-based login, requiring users\r\nto use alternative authentication methods such as smart cards or biometrics. \r\nIn addition to restricting access, the script also configures additional BitLocker settings under registry key\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 14 of 22\n\n\"UseAdvancedStartup\"=dword:00000001 - This setting enables the Advanced Startup options for\r\nBitLocker, allowing users to access recovery tools and options when the system is starting. \r\n\"EnableBDEWithNoTPM\"=dword:00000001 - This allows BitLocker Drive Encryption (BDE) to be\r\nenabled on systems without a Trusted Platform Module (TPM). \r\n\"UseTPM\"=dword:00000002 - This setting specifies that BitLocker should use a TPM, but it’s set to\r\nrequire a PIN or startup key. The value of 00000002 indicates that TPM requires additional authentication. \r\n\"UseTPMPIN\"=dword:00000002 - This enables the use of a TPM PIN for authentication. Again, 00000002\r\nindicates that a PIN is required during the boot process. \r\n\"UseTPMKey\"=dword:00000002 - This setting enables the use of a TPM key for authentication, requiring\r\na key to be present for unlocking the drive during boot. \r\n\"UseTPMKeyPIN\"=dword:00000002 - Similar to the previous settings, this allows the use of a PIN in\r\nconjunction with a TPM key for added security during startup. \r\n\"EnableNonTPM\"=dword:00000001 - This setting allows for the use of BitLocker on systems that do not\r\nhave a TPM, which could be combined with a password or USB key for unlocking the drive. \r\n\"UsePartialEncryptionKey\"=dword:00000002 - Enables the use of a partial encryption key for data\r\nrecovery or access. \r\n\"UsePIN\"=dword:00000002 - Enables the use of a PIN for accessing the encrypted drive. \r\nThe code responsible for modifying BitLocker-related registry settings appears nine times throughout the script.\r\nWhile the original script used reg.exe add for these modifications, this variant added WMIC.exe for some\r\nchanges. The reason for this switch is unclear, but it offers defenders additional opportunities to detect malicious\r\nactivity.\r\nBitLocker (Re)Configuration\r\nThe script executes the command manage-bde -protectors -delete \u003cdrive\u003e to delete existing protectors from the\r\nprotected drive. \r\nProtectors are mechanisms used by BitLocker to protect the encryption key. They can include hardware protectors\r\nlike TPMs or software protectors like passwords or recovery keys. By deleting all protectors, the script aims to\r\nmake it impossible for the victim to recover their data or decrypt the drive. \r\nAfter removing previously configured recovery methods for BitLocker, the script converts the previously\r\ngenerated string strRandom into a secure string using the ConvertTo-SecureString -splaintext -force cmdlet. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 15 of 22\n\nThe Enable-BitLocker -qe -pwp -pw $a command is used to configure the BitLocker encryption for the specified\r\ndrive. This configuration step doesn't immediately start the encryption process but prepares the drive for it. \r\nShortened switch parameters are used. Here's a more detailed explanation of what they do: \r\n-qe is an alias for -UsedSpaceOnly. This switch parameter instructs BitLocker to encrypt only the portion\r\nof the drive that is currently in use, leaving unallocated space untouched. \r\n-pwp is an alias for -PasswordProtector. This switch parameter specifies that a password will be used to\r\nsafeguard the volume encryption key. \r\n-pw is an alias for -Password. This secure string parameter defines the actual password that will be used to\r\nunlock the encrypted drive, $a is variable storing previously generated password. \r\nThe Resume-BitLocker -MountPoint \u003cdrive\u003e cmdlet is then used to start (or resume) the encryption process,\r\nwhich takes approximately 10 minutes to complete based on the log files. The actual encryption time can vary\r\ndepending on several factors, including the size of the drive being encrypted, the speed of the system's hardware,\r\nand the amount of data currently on the drive. \r\nPassword Upload \r\nThe following section will cover how the script uploads the newly generated password to a server controlled by\r\nthe threat actor. \r\nThe Stream_StringToBinary function converts a text string into a binary format. It creates an ADODB.Stream\r\nobject to handle data, sets the stream mode to text, writes the input string to the stream, converts the stream to\r\nbinary format, and then reads the binary data. This process is used to prepare the generated password for network\r\ntransmission or other operations that require binary data. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 16 of 22\n\nThe next code snippet is using TryCloudflare, a free tier service offered by Cloudflare that allows users to\r\nestablish temporary tunnels for their local servers without requiring a full Cloudflare account. \r\nUsing dynamically generated subdomains allows the attacker to maintain a discreet and controlled connection\r\nwith the compromised machine, enabling them to receive stolen data without complicated infrastructure. While\r\nTryCloudflare itself is a legitimate service, its misuse in this context highlights the potential for malicious actors\r\nto leverage legitimate tools for nefarious purposes. \r\nSetting the Accept-Language header in the HTTP request to “fr” can mean that the threat actor is using it to filter\r\nout unwanted connections. \r\nThis code is responsible for uploading information about compromised victim via an HTTP POST request to a\r\nthreat actor.  \r\nThe collected information includes the hostname, operating system name (OS caption), encrypted drives, and the\r\nrandomly generated password. This data is used to identify the compromised system and provide the attacker with\r\nthe necessary information for decryption. An example of this string is “WIN-0Q8BALHTUT8 Microsoft\r\nWindows Server 2022 Standard       C:,     QsexeTd41GoWRNZE8Oeo2RQZO#EO*fY-HU2fzxEEwvj5RIS70qiqYGU-SRCsJN0B”. \r\nCleanup\r\nThe script finishes by attempting to clean up its traces. It checks if the current machine is a specific (hardcoded)\r\ndomain controller and, if so, deletes related files from SYSVOL. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 17 of 22\n\nOn all systems, it disables Windows Firewall rules, deletes audit files (PowerShell event logs), and tries to remove\r\nscheduled tasks named \"Login\" and \"WomenDisk\". \r\nThese task names are often randomized to evade detection. The script contains a mistake: it references the tasks by\r\ntheir original names instead of the newest versions. \r\nFinally, the script initiates a system shutdown, leaving the user with an encrypted BitLocker screen prompting for\r\na password during logon. \r\nWhen attempt is made to recover BitLocker access, contact information for threat actor is displayed on the screen. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 18 of 22\n\nConclusion and Recommendations \r\nShrinkLocker is a novel ransomware strain that leverages a unique approach to encrypt systems. By exploiting\r\nBitLocker, a legitimate Windows feature, it can rapidly encrypt entire drives, including system drives. Unlike\r\ntraditional ransomware, ShrinkLocker doesn't introduce its own encryption mechanism but instead manipulates\r\nBitLocker to achieve its malicious goals.  \r\nProactive monitoring of specific Windows event logs can help organizations identify and respond to potential\r\nBitLocker attacks, even in their early stages, such as when attackers are testing their encryption capabilities.\r\nSpecifically, tracking events from the \"Microsoft-Windows-BitLocker-API/Management\" source, particularly\r\nthose with event IDs 776 (protectors removal) and 773 (BitLocker suspension).\r\nWhile this monitoring can help in detection, there is also Group Policy configuration that can act as a proactive\r\nprevention. By configuring BitLocker to store recovery information in Active Directory Domain Services (AD\r\nDS) and enforcing the policy \"Do not enable BitLocker until recovery information is stored to AD DS for\r\noperating system drives,\" organizations can significantly reduce the risk of BitLocker-based attacks. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 19 of 22\n\nThe policy \"Do not enable BitLocker until recovery information is stored to AD DS for operating system drives\"\r\nensures that BitLocker encryption cannot be started unless the necessary recovery information is securely stored in\r\nActive Directory. This prevents unauthorized encryption attempts, as the attacker would need to both encrypt the\r\ndrive and locate and remove the recovery information from AD. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 20 of 22\n\nAttackers can remove existing protectors and set a new password, but they are unable to start the encryption\r\nprocess without first storing the recovery information in AD DS. \r\nNote: Please note that this policy should be implemented and evaluated carefully, following established change\r\nmanagement best practices. It's important to consider that threat actors can identify and disable this policy before\r\nlaunching an attack. Nevertheless, this measure serves as a valuable deterrent, particularly against less\r\nsophisticated attackers, and can provide defenders with additional opportunity and time to respond and mitigate\r\nthe impact of an attack. \r\nOur general recommendation for effectively defending against past, present, and future threats remains the same:\r\nimplementing multilayered, defense-in-depth architecture. Ransomware attacks, especially those involving RaaS\r\naffiliates, are essentially manual hacking operations. \r\nPrevention: A critical first step in mitigating the risk of ransomware attacks is minimizing the attack surface. This\r\ninvolves keeping systems up-to-date with the latest security patches, especially those exposed to the internet, to\r\nprevent exploitation of known weaknesses. Additionally, implementing Multi-Factor Authentication (MFA)\r\nsignificantly reduces the risk of unauthorized access, even if credentials are compromised through phishing or\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 21 of 22\n\nother means. Minimizing the number of systems exposed to the internet and implementing strong access controls\r\ncan further reduce the attack surface.  \r\nProtection: By deploying multiple security layers across all devices and users, organizations can create significant\r\nobstacles for threat actors who manage to bypass initial defenses. It's essential to strike the right balance between\r\nblocking malicious activities and flagging suspicious behavior, while minimizing false positives and performance\r\nimpacts. \r\nDetection and Response: Most ransomware attacks take at least days, typically weeks, to fully compromise a\r\nnetwork. A significant portion of this time is spent on lateral movement, where attackers gain access to additional\r\nsystems and data. Our investigations consistently reveal that threat actors typically generate sufficient indicators\r\nof compromise to be detected. However, two common pitfalls hinder effective response. \r\nFirstly, it’s the absence of robust endpoint detection and response (EDR) or extended detection and response\r\n(XDR) solutions. EDR and XDR solutions are designed to decrease the time when threat actors remain\r\nundetected, by analyzing and correlating suspicious behavior, even if it can’t be immediately classified as\r\nmalicious. \r\nSecondly, while detection tools like EDR and XDR can identify anomalies, effective security operations are\r\nrequired to investigate, prioritize, and respond to these alerts. Understaffed or overburdened security teams may\r\nstruggle to analyze these alerts, allowing security incidents to escalate into full-blown security breaches. By\r\ninvesting in dedicated security operations teams or more affordable managed detection and response (MDR)\r\nservices, organizations can significantly reduce the risk of these breaches. \r\nThese recommendations are based on our extensive ransomware investigations. We've combined our current\r\nunderstanding of ransomware tactics with available security controls in our white paper, \"Stopping Ransomware:\r\nA Technical Deep Dive into Attack Vectors \u0026 Mitigation Strategies with Bitdefender.\" We continuously update\r\nthis white paper to reflect the latest trends and best practices.\r\nRead White Paper    Watch LinkedIn Live Event\r\nSource: https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\r\nPage 22 of 22\n\n https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again  \n3. On the BitLocker Recovery screen, select \"Skip this drive\".\n4. Choose \"Troubleshoot\" and then \"Advanced options\". \n5. Select \"Command Prompt\" from the advanced options menu.\n   Page 3 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again"
	],
	"report_names": [
		"shrinklocker-decryptor-from-friend-to-foe-and-back-again"
	],
	"threat_actors": [
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434069,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f264cb59021f18e3adc6808f4ba436ff42916434.pdf",
		"text": "https://archive.orkl.eu/f264cb59021f18e3adc6808f4ba436ff42916434.txt",
		"img": "https://archive.orkl.eu/f264cb59021f18e3adc6808f4ba436ff42916434.jpg"
	}
}