14 DAY TRIAL // Researchers found a new strain of LockBit ransomware that automates the encrypting of Windows domains by leveraging Active Directory group policies, according to Bleeping Computer.
The LockBit ransomware campaign began in September 2019 as a service-by-service ransomware scheme in which threat actors are tasked with infiltrating networks and encrypting devices. In exchange, the employed affiliates pay 70-80% of the total amount, with the remaining 20% going to the LockBit founders.
A spokesperson for the gang promotes the ransomware operation and provides support to hacker web forums. Following the banning of Ransomware concerns on hacking forums, LockBit began pushing a new ransomware-by-service, LockBit 2.0, on its data leak site.
There is a multitude of features supported by LockBit 2.0, many of which have already been employed in prior ransomware campaigns. It has been promoted for one particular feature, as creators say that the ransomware propagation has been automated throughout a Windows domain, eliminating the need for scripts.
Group policy updates are used by cybercriminals to encrypt computers on the targeted network
After infiltrating a network and gaining control of a domain controller, the threat actors utilize third-party tools to execute scripts that disable antivirus software and then launch the ransomware on the network machines.
The process is automated and hence, allows the ransomware to be distributed across multiple domains when it is performed on a domain controller. In order to encrypt data, the ransomware sets new group policies on the domain controller that are then replicated across the network. These policies prevent Microsoft Defender real-time protection, alerts, sampling to Microsoft, and default actions to detect malicious files. Additional group policies are set up, including one that creates a scheduled process on Windows devices to run malware.
The ransomware then runs the a command to update Group Policy on all Windows machines. During this operation, the ransomware will also do LDAP queries for ADS domain controllers and use Windows Active Directory APIs to retrieve a list of machines from the ADS domain controllers.The executable ransomware is copied to the desktop of each device on the list, and the scheduled task set by Group Policy launches the ransomware.
Because the ransomware bypasses User Account Control, the application runs unnoticed in the background without any external alert to encrypt the device. Although MountLocker employed LDAP search in Windows Active Directory APIs, this is the first time that ransomware can distribute infection via group policies automatically.