ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)

ShrinkLocker is a VBS-based malicious script that leverages the legitimate Bitlocker application to encrypt files on victim systems for ransom. ShrinkLocker functions by using Bitlocker to encrypt files, then renames impacted drives to the adversary’s contact email address to facilitate communication for the ransom payment.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0)	Attack Pattern	2
Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b)	Attack Pattern	Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103)	Attack Pattern	2
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9)	Attack Pattern	Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2