Skip to content

Hide Navigation Hide TOC

ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)

ShrinkLocker is a VBS-based malicious script that leverages the legitimate Bitlocker application to encrypt files on victim systems for ransom. ShrinkLocker functions by using Bitlocker to encrypt files, then renames impacted drives to the adversary’s contact email address to facilitate communication for the ransom payment.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 2
Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 2
Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2