The latest version of the LockBit ransomware, which is known as LockBit 2.0, can now be used to automatically encrypt a Windows domain using Active Directory group policies.
LockBit is a ransomware-as-a-service operation that was launched in September 2019. Its malware was recruited to infiltrate networks and encrypt devices. When the topic of ransomware was banned on hacking forums this year, LockBit started promoting their new operation called LockBit 2.0 that got several new advanced features.
One of the features that is particularly interesting is an automated ransomware distribution throughout a Windows domain that can be done without the need for scripts.
Usually, when a network is breached, the attackers execute a script to disable antivirus and then deploy ransomware on the affected machines. The samples analyzed by MalwareHunterTeam revealed that the LockBit 2.0 ransomware can distribute itself throughout a domain when executed by a domain controller.
The ransomware will create a new group policy for the domain controller that is then pushed out to all devices on the network. These policies disable the real-time protection and alerts that Microsoft Defender provides. They also restrict detection of malicious files. Some other group policies are created, which include a task that launches the ransomware’s executable. The ransomware then launches the following command to update the group policy to all devices:
powershell.exe -Command “Get-ADComputer -filter * -Searchbase ‘%s’ | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}”
The ransomware is executed using a UAC bypass and will silently run in the background while the device is being encrypted.
This is the first time that researchers have seen ransomware distribute itself through group policies, and LockBit operators are the first ransomware gang to automate this process.
“The malware added a novel approach of interacting with active directory propagating ransomware to local domains as well as built-in updating global policy with anti-virus disable making “pentester” operations easier for new malware operators,” researchers said.