ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)

ShrinkLocker is a VBS-based malicious script that leverages the legitimate Bitlocker application to encrypt files on victim systems for ransom. ShrinkLocker functions by using Bitlocker to encrypt files, then renames impacted drives to the adversary’s contact email address to facilitate communication for the ransom payment.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c)	Attack Pattern	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	1
ShrinkLocker - S1178 (3fc44c12-b16e-4de1-8869-cf0eb4446070)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	1
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103)	Attack Pattern	Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2