{"description": "Enterprise techniques used by ShrinkLocker, ATT&CK software S1178 (v1.0)", "name": "ShrinkLocker (S1178)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) uses HTTP POST requests to communicate victim information back to the threat actor.(Citation: Kaspersky ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) uses PowerShell to disable protectors used to secure the BitLocker encryption key on victim machines and then delete the key from the system.(Citation: Kaspersky ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) is a VisualBasic script (VBS) object that calls multiple other operating system functions during execution.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) can initiate a destructive payload depending on the operating system check through resizing and reformatting portions of the victim machine's disk, leading to system instability and potential data corruption.(Citation: Splunk ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1486", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) uses the legitimate BitLocker application to encrypt victim files for ransom.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1491", "showSubtechniques": true}, {"techniqueID": "T1491.001", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) renames disk labels on victim hosts to the threat actor's email address to enable the victim to contact the threat actor for ransom negotiation.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) will exit its \"main\" function if the victim domain name does not match provided criteria.(Citation: Splunk ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) will exfiltrate victim system information along with the encryption key via an HTTP POST.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) disables protectors used to secure the BitLocker encryption key on victim systems.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) turns on the system firewall and deletes all of its rules during execution.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) calls [Wevtutil](https://attack.mitre.org/software/S0645) to clear the Windows PowerShell and Microsoft-Windows-Powershell/Operational logs.(Citation: Kaspersky ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) can delete itself depending on various checks performed during execution.(Citation: Kaspersky ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) modifies various registry keys associated with system logon and BitLocker functionality to effectively lock-out users following disk encryption.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) checks whether the Bitlocker Drive Encryption Tools service is running.(Citation: Splunk ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) uses WMI queries to gather various information about the victim machine and operating system.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) captures the IP address of the victim system and sends this to the attacker following encryption.(Citation: Kaspersky ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) can restart the victim system if it encounters an error during execution, and will forcibly shutdown the system following encryption to lock out victim users.(Citation: Kaspersky ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) retrieves a system timestamp that is used in generating an encryption key.(Citation: Splunk ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) uses a subdomain on the legitimate Cloudflare resource \"trycloudflare[.]com\" to obfuscate the threat actor's actual address and to tunnel information sent from victim systems.(Citation: Kaspersky ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[ShrinkLocker](https://attack.mitre.org/software/S1178) uses WMI to query information about the victim operating system.(Citation: Kaspersky ShrinkLocker 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ShrinkLocker", "color": "#66b1ff"}]}