LockBit 2.0, the first ransomware that uses group policies to encrypt Windows domains

malware malware

A new variant of the LockBit 2.0 ransomware is now used by hackers to be able to encrypt Windows domains by using Active Directory group policies. This breaches will impact the security posture massively.

Researchers from MalwareHunterTeam and BleepingComputer, along with the malware expert Vitali Kremez reported spotted a new version of the LockBit 2.0 ransomware that encrypts Windows domains by using Active Directory group policies. These new Cybercrime techniques is providing access to sensitive information.
Kramez explained that this is the first ransomware that automates this process.

A look at LockBit 2.0’s payment site / support chat. Basically after the new login page, it looks mostly exactly as before, the biggest visible change is that they added this “Allow Notifications” part…@demonslay335 pic.twitter.com/Eqie3YsEnY— MalwareHunterTeam (@malwrhunterteam) July 23, 2021Like other ransomware operations, LockBit 2.0 implemented a ransomware-as-a-service model and maintains a network of affiliates.

The LockBit ransomware first appeared in the threat landscape in September 2019, the author of the malware improved it over the years implementing new features and providing supports to their affiliates.

After ransomware ads were banned on hacking forum, the LockBit operators set up their own leak site promoting the latest variant and advertising the LockBit 2.0 affiliate program.

LockBit 2.0 ransomware says:”Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.”@demonslay335 @VK_Intel pic.twitter.com/fYxFbVQ6gX— MalwareHunterTeam (@malwrhunterteam) July 17, 2021

The leak site provides a list of features implemented in the new variant, one of the most interesting is the capability to use group policy update to encrypt a Windows domain.

This means that once the attackers have gained access to a target network and compromised the domain controller, the ransomware is able to propagate within the domain. Is the nightmare for Information-security and IT security departments

The ransomware will create new group policies on the domain controller that are pushed to all of the machines in the Windows domain.

The policies disable security measures, such as Microsoft Defender and alerts, and prevent the OS from submitting samples to Microsoft to avoid detection.

Below is the policy shared by BleepingComputer:

[General]
Version=%s
displayName=%s
[SoftwarePoliciesMicrosoftWindows Defender;DisableAntiSpyware]
[SoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection;DisableRealtimeMonitoring]
[SoftwarePoliciesMicrosoftWindows DefenderSpynet;SubmitSamplesConsent]
[SoftwarePoliciesMicrosoftWindows DefenderThreats;Threats_ThreatSeverityDefaultAction]
[SoftwarePoliciesMicrosoftWindows DefenderThreatsThreatSeverityDefaultAction]
[SoftwarePoliciesMicrosoftWindows DefenderThreatsThreatSeverityDefaultAction]
[SoftwarePoliciesMicrosoftWindows DefenderThreatsThreatSeverityDefaultAction]
[SoftwarePoliciesMicrosoftWindows DefenderThreatsThreatSeverityDefaultAction]
[SoftwarePoliciesMicrosoftWindows DefenderUX Configuration;Notification_Suppress]

The ransomware achieves persistence by creating a scheduled task on Windows systems.

Another feature implemented by LockBit 2.0 is print bombing the ransom note, experts already observed this breaches feature implemented by the Egregor Ransomware gang.

Below the list of feature published on the leak site:

Source BleepingComputerThe post LockBit 2.0, the first ransomware that uses group policies to encrypt Windows domains appeared first on Security Affairs.