June 7, 2023

A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies. LockBit is a Raas came in to limelight last year affiliating 70% of the ransom rest goes to the developers. After getting banned in the hacking forums , LockBit 2.0 leaked its version in own site with many new features

Uses group policy update to encrypt network

When threat actors breach a network and finally gain control of the domain controller, they utilize third-party software to deploy scripts that disable antivirus and then execute the ransomware on the machines on the network.

In samples of the LockBit 2.0 ransomware discovered that the threat actors have automated this process so that the ransomware distributes itself throughout a domain when executed on a domain controller. The ransomware will create new group policies on the domain controller that are then pushed out to every device on the network disabling  Microsoft Defender’s real-time protection, alerts, submitting samples to Microsoft, and default actions when detecting malicious files, as shown below.

Other group policies are created, including one to create a scheduled task on Windows devices that launch the ransomware executable. The ransomware will then run the following command to push the group policy update to all of the machines in the Windows domain.

As the ransomware will be executed using a UAC bypass, the program will run silently in the background without any outward alert on the device being encrypted. This is the first time a ransomware automate the distribution of the malware via group policies.

The malware added a novel approach of interacting with active directory propagating ransomware to local domains as well as built-in updating global policy with anti-virus disable making “pentester” operations easier for new malware operators.

LockBit 2.0 also includes a feature previously used by the Egregor Ransomware operation that print bombs the ransom note to all networked printers. When the ransomware has finished encrypting a device, it will repeatedly print the ransom note to any connected network printers to get the victim’s attention, as shown below.

Leave a Reply

%d bloggers like this: