A new variant of LockBit ransomware has been discovered that comes with automated encryption of a Windows domain. The newly discovered LockBit 2.0 ransomware has multiple advanced features and is now abusing the Active Directory group policies.
What happened?
The LockBit ransomware operation has been active since September 2019 and, after ransomware topics were banned on hacking forums, the attackers started advertising the new LockBit 2.0 RaaS.
- LockBit 2.0 has numerous features used in the past by other ransomware operations.
- One of its unique features includes automated ransomware distribution via Windows domains without using scripts.
- Whenever the ransomware is executed, it creates new group policies on the domain controller. These policies are then applied to every possible device on the targeted network.
- Moreover, new policies disable Defender’s real-time protection, alerts, sample submission to Microsoft, and default actions needed for detected malicious files.
Additional insights
The new variant creates other group policies such as the creation of scheduled tasks on Windows systems to execute ransomware. Subsequently, a specific command is sent to update the group policy for all the machines in the Windows domain.
- During the policy update process, the ransomware uses Windows Active Directory APIs to carry out LDAP queries against the domain controller’s ADS to identify all the computers on the network.
- By using this list, the ransomware .exe file is copied to every desktop and the scheduled task is configured by group policies to run the ransomware using the UAC bypass.
- It helps actors run ransomware in the background without encrypting any outward alert.
Additionally, the LockBit 2.0 ransomware now comes with a feature used by the Egregor Ransomware operation previously. This feature involves print-bombing ransom notes to all the networked printers.
Conclusion
LockBit 2.0 ransomware has added a unique approach of exploiting active directory domain controllers to propagate their malware. Further, it uses built-in updating global policy and has capabilities to disable the anti-malware solution of Windows systems. This indicates that the Lockbit developers are well versed with Windows OS and are leaving no stone unturned to target users.
Source: https://cyware.com/news/lockbit-20-abuses-windows-domains-to-propagate-856d1683