Lessons Learned from the ShrinkLocker Ransomware: From Response to Detection
Resumo
ShrinkLocker is a ransomware threat that abuses the native BitLocker utility to encrypt entire volumes, using advanced VBScript and PowerShell techniques to exfiltrate keys, disable key recovery, and perform drive-level encryption. In this paper, we provide a detailed technical analysis of the malware, review the adversary’s tactics, techniques and procedures (TTPs), and highlight key lessons learned from an incident response case. We also propose detection and mitigation strategies and emphasize the importance of behavioral-based monitoring over static signature detection in such advanced attacks.Referências
Dantas Silva, F. S., Neto, E. P., Nunes, R. S., Souza, C. H., Neto, A. J., and Pascoal, T. (2023). Securing software-defined networks through adaptive moving target defense capabilities. Journal of Network and Systems Management, 31(3):61.
De Gaspari, F., Hitaj, D., Pagnotta, G., De Carli, L., and Mancini, L. V. (2022). Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques. Neural Computing and Applications, 34(14):12077–12096.
Geng, J., Wang, J., Fang, Z., Zhou, Y., Wu, D., and Ge, W. (2024). A survey of strategy-driven evasion methods for pe malware: Transformation, concealment, and attack. Computers & Security, 137:103595.
McIntosh, T., Susnjak, T., Liu, T., Xu, D., Watters, P., Liu, D., Hao, Y., Ng, A., and Halgamuge, M. (2024). Ransomware reloaded: Re-examining its trend, research and mitigation in the era of data exfiltration. ACM Computing Surveys, 57(1):1–40.
Razaulla, S., Fachkha, C., Markarian, C., Gawanmeh, A., Mansoor, W., Fung, B. C., and Assi, C. (2023). The age of ransomware: A survey on the evolution, taxonomy, and research directions. IEEE Access, 11:40698–40723.
Souza, C., Ovalle, E., Muñoz, A., and Zachor, C. (2024). Shrinklocker: Turning bitlocker into ransomware. Technical report, Kaspersky Securelist.
Souza, C. H., Pascoal, T., Neto, E. P., Sousa, G. B., Filho, F. S., Batista, D. M., and Dantas Silva, F. S. (2025). Sdn-based solutions for malware analysis and detection: State-of-the-art, open issues and research challenges. Journal of Information Security and Applications, 93:104145.
Souza, C. H. M. and Arima, C. H. (2024). A hybrid approach for malware detection in sdn-enabled iot scenarios. Internet Technology Letters, 7(6):e534.
De Gaspari, F., Hitaj, D., Pagnotta, G., De Carli, L., and Mancini, L. V. (2022). Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques. Neural Computing and Applications, 34(14):12077–12096.
Geng, J., Wang, J., Fang, Z., Zhou, Y., Wu, D., and Ge, W. (2024). A survey of strategy-driven evasion methods for pe malware: Transformation, concealment, and attack. Computers & Security, 137:103595.
McIntosh, T., Susnjak, T., Liu, T., Xu, D., Watters, P., Liu, D., Hao, Y., Ng, A., and Halgamuge, M. (2024). Ransomware reloaded: Re-examining its trend, research and mitigation in the era of data exfiltration. ACM Computing Surveys, 57(1):1–40.
Razaulla, S., Fachkha, C., Markarian, C., Gawanmeh, A., Mansoor, W., Fung, B. C., and Assi, C. (2023). The age of ransomware: A survey on the evolution, taxonomy, and research directions. IEEE Access, 11:40698–40723.
Souza, C., Ovalle, E., Muñoz, A., and Zachor, C. (2024). Shrinklocker: Turning bitlocker into ransomware. Technical report, Kaspersky Securelist.
Souza, C. H., Pascoal, T., Neto, E. P., Sousa, G. B., Filho, F. S., Batista, D. M., and Dantas Silva, F. S. (2025). Sdn-based solutions for malware analysis and detection: State-of-the-art, open issues and research challenges. Journal of Information Security and Applications, 93:104145.
Souza, C. H. M. and Arima, C. H. (2024). A hybrid approach for malware detection in sdn-enabled iot scenarios. Internet Technology Letters, 7(6):e534.
Publicado
01/09/2025
Como Citar
SOUZA, Cristian H. M.; CHAVARRO, Eduardo O..
Lessons Learned from the ShrinkLocker Ransomware: From Response to Detection. In: TRILHA DE INTERAÇÃO COM A INDÚSTRIA E DE INOVAÇÃO - SIMPÓSIO BRASILEIRO DE CIBERSEGURANÇA (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 440-446.
DOI: https://doi.org/10.5753/sbseg_estendido.2025.11387.
