S1178: ShrinkLocker
ShrinkLocker is a VBS-based malicious script that leverages the legitimate Bitlocker application to encrypt files on victim systems for ransom. ShrinkLocker functions by using Bitlocker to encrypt files, then renames impacted drives to the adversary’s contact email address to facilitate communication for the ransom payment.[1][2]
Analyst context for executives and security teams
ShrinkLocker matters because it turns a legitimate Windows encryption capability, BitLocker, into a ransomware mechanism. For leaders, the key issue is not only “malware on an endpoint,” but whether the organization can distinguish authorized encryption administration from malicious encryption, preserve recovery options, and respond before business-critical Windows systems become unavailable.
Executive priority
Prioritize this as an operational resilience and recovery-readiness concern for Windows environments using or allowing BitLocker. Executives should ask whether BitLocker administration is governed, monitored, and recoverable; whether SOC and IR teams can see suspicious script, WMI, PowerShell, registry, firewall, log-clearing, and reboot activity; and whether backup and recovery evidence is strong enough for audit, insurance, and crisis decision-making. Because ATT&CK provides no official detection text for this object, local validation is essential before assuming coverage.
Technical view
ATT&CK describes ShrinkLocker as a VBS-based malicious script that abuses BitLocker to encrypt files for ransom and renames impacted drives to an adversary contact email address. The relationship set ties it to Windows execution via Visual Basic, PowerShell, and WMI; discovery of network, system, process, and time information; web-based command-and-control and exfiltration; registry modification; defense impairment including tool tampering, Windows event log clearing, and firewall changes; and impact behaviors including encryption, destruction, defacement, reboot/shutdown, and disk structure wipe. SOC teams should validate visibility across the full chain rather than looking only for file encryption.
Likely telemetry
- Windows process creation and command-line telemetry for script hosts, PowerShell, WMI, BitLocker-related utilities, registry tools, shutdown/reboot commands, and event-log utilities
- PowerShell logging and script block/module/activity telemetry where available
- WMI activity logs and remote/local management execution evidence
- Windows Security, System, Application, and operational event logs, with alerting for log-clearing or sudden telemetry gaps
- BitLocker management, configuration, recovery-key, and drive-encryption state changes
Detection direction
- Correlate BitLocker state changes or drive renaming with suspicious script execution, PowerShell, WMI, registry modification, firewall changes, log clearing, or shutdown/reboot activity.
- Tune detections to distinguish legitimate BitLocker administration from unusual encryption activity on endpoints, especially when initiated by scripts or non-standard administrative contexts.
- Validate detections for defense impairment behaviors before impact: security tool disabling, Windows event log clearing, and host firewall modification may be early signals that visibility is being reduced.
- Use relationship context to build multi-stage analytics: discovery followed by scripted execution, web communications, configuration tampering, and encryption impact is more meaningful than any single event alone.
- Account for blind spots where BitLocker actions are treated as trusted administrative activity, where PowerShell/WMI logging is incomplete, or where endpoint tools lose telemetry after tampering or reboot.
Mitigation priorities
- Establish clear governance for BitLocker use, including who may enable or change encryption, how recovery keys are protected, and how emergency recovery is performed.
- Reduce unnecessary administrative rights and restrict script, PowerShell, WMI, registry, firewall, and log-management capabilities to appropriate administrators.
- Harden monitoring for legitimate administrative tools that can be abused, especially BitLocker, Visual Basic scripts, PowerShell, and WMI on Windows systems.
- Protect and monitor security tooling and logging pipelines so event clearing, agent tampering, or telemetry loss triggers investigation.
- Maintain offline or otherwise resilient backups and verify restore procedures for systems where encryption impact would disrupt operations.
Analyst notes and limits
This take is based on the supplied ATT&CK S1178 object and its listed relationships. The object is Windows-platform malware described as VBS-based and BitLocker-abusing. The relationship set is broad and includes discovery, execution, command-and-control, exfiltration, defense impairment, and impact behaviors; defenders should use those relationships to guide validation but confirm which behaviors appear in their own telemetry.
ATT&CK provides no official detection text for ShrinkLocker in the supplied fields, and the object has no specified tactics field even though relationships map to multiple tactics. The supplied information does not support claims about active exploitation, attribution, prevalence, victim exposure, or guaranteed detection. Local environment configuration, logging maturity, BitLocker usage, and recovery-key practices will determine actual risk and coverage.
ShrinkLocker
ShrinkLocker is a VBS-based malicious script that leverages the legitimate Bitlocker application to encrypt files on victim systems for ransom. ShrinkLocker functions by using Bitlocker to encrypt files, then renames impacted drives to the adversary’s contact email address to facilitate communication for the ransom payment.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1124 | System Time Discovery | ShrinkLocker retrieves a system timestamp that is used in generating an encryption key.CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1491.001 | Internal Defacement Sub-technique | ShrinkLocker renames disk labels on victim hosts to the threat actor's email address to enable the victim to contact the threat actor for ransom negotiation.CitationKaspersky ShrinkLocker 2024CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1082 | System Information Discovery | ShrinkLocker uses WMI queries to gather various information about the victim machine and operating system.CitationKaspersky ShrinkLocker 2024CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | ShrinkLocker is a VisualBasic script (VBS) object that calls multiple other operating system functions during execution.CitationKaspersky ShrinkLocker 2024CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | ShrinkLocker uses PowerShell to disable protectors used to secure the BitLocker encryption key on victim machines and then delete the key from the system.CitationKaspersky ShrinkLocker 2024 |
| Enterprise | T1112 | Modify Registry | ShrinkLocker modifies various registry keys associated with system logon and BitLocker functionality to effectively lock-out users following disk encryption.CitationKaspersky ShrinkLocker 2024CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | ShrinkLocker calls Wevtutil to clear the Windows PowerShell and Microsoft-Windows-Powershell/Operational logs.CitationKaspersky ShrinkLocker 2024 |
| Enterprise | T1047 | Windows Management Instrumentation | ShrinkLocker uses WMI to query information about the victim operating system.CitationKaspersky ShrinkLocker 2024 |
| Enterprise | T1102 | Web Service | ShrinkLocker uses a subdomain on the legitimate Cloudflare resource "trycloudflare[.]com" to obfuscate the threat actor's actual address and to tunnel information sent from victim systems.CitationKaspersky ShrinkLocker 2024 |
| Enterprise | T1486 | Data Encrypted for Impact | ShrinkLocker uses the legitimate BitLocker application to encrypt victim files for ransom.CitationKaspersky ShrinkLocker 2024CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | ShrinkLocker has used Diskpart to format newly-created partitions.CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | ShrinkLocker will exfiltrate victim system information along with the encryption key via an HTTP POST.CitationKaspersky ShrinkLocker 2024CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1529 | System Shutdown/Reboot | ShrinkLocker can restart the victim system if it encounters an error during execution, and will forcibly shutdown the system following encryption to lock out victim users.CitationKaspersky ShrinkLocker 2024 |
| Enterprise | T1685 | Disable or Modify Tools | ShrinkLocker disables protectors used to secure the BitLocker encryption key on victim systems.CitationKaspersky ShrinkLocker 2024CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | ShrinkLocker captures the IP address of the victim system and sends this to the attacker following encryption.CitationKaspersky ShrinkLocker 2024 |
| Enterprise | T1686 | Disable or Modify System Firewall | ShrinkLocker turns on the system firewall and deletes all of its rules during execution.CitationKaspersky ShrinkLocker 2024CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1480 | Execution Guardrails | ShrinkLocker will exit its "main" function if the victim domain name does not match provided criteria.CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | ShrinkLocker can delete itself depending on various checks performed during execution.CitationKaspersky ShrinkLocker 2024 |
| Enterprise | T1485 | Data Destruction | ShrinkLocker can initiate a destructive payload depending on the operating system check through resizing and reformatting portions of the victim machine's disk, leading to system instability and potential data corruption.CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1057 | Process Discovery | ShrinkLocker checks whether the Bitlocker Drive Encryption Tools service is running.CitationSplunk ShrinkLocker 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ShrinkLocker uses HTTP POST requests to communicate victim information back to the threat actor.CitationKaspersky ShrinkLocker 2024 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 7e5821741504… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky ShrinkLocker 2024
Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.
Open source URL -
[2]
Splunk ShrinkLocker 2024
Splunk Threat Research Team , Teoderick Contreras. (2024, September 5). ShrinkLocker Malware: Abusing BitLocker to Lock Your Data. Retrieved December 7, 2024.
Open source URL -
[3]
mitre-attack S1178Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.