ShrinkLocker
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
ShrinkLocker uses HTTP POST requests to communicate victim information back to the threat actor.(Citation: Kaspersky ShrinkLocker 2024) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
ShrinkLocker uses PowerShell to disable protectors used to secure the BitLocker encryption key on victim machines and then delete the key from the system.(Citation: Kaspersky ShrinkLocker 2024) |
.005 | Command and Scripting Interpreter: Visual Basic |
ShrinkLocker is a VisualBasic script (VBS) object that calls multiple other operating system functions during execution.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024) |
||
Enterprise | T1491 | .001 | Defacement: Internal Defacement |
ShrinkLocker renames disk labels on victim hosts to the threat actor's email address to enable the victim to contact the threat actor for ransom negotiation.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
ShrinkLocker disables protectors used to secure the BitLocker encryption key on victim systems.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024) |
.004 | Impair Defenses: Disable or Modify System Firewall |
ShrinkLocker turns on the system firewall and deletes all of its rules during execution.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024) |
||
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
ShrinkLocker calls Wevtutil to clear the Windows PowerShell and Microsoft-Windows-Powershell/Operational logs.(Citation: Kaspersky ShrinkLocker 2024) |
.004 | Indicator Removal: File Deletion |
ShrinkLocker can delete itself depending on various checks performed during execution.(Citation: Kaspersky ShrinkLocker 2024) |
References
- Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.
- Splunk Threat Research Team , Teoderick Contreras. (2024, September 5). ShrinkLocker Malware: Abusing BitLocker to Lock Your Data. Retrieved December 7, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.