Pierluigi Paganini
July 29, 2021
Researchers from MalwareHunterTeam and BleepingComputer, along with the malware expert Vitali Kremez reported spotted a new version of the LockBit 2.0 ransomware that encrypts Windows domains by using Active Directory group policies. Kramez explained that this is the first ransomware that automates this process.
A look at LockBit 2.0's payment site / support chat. Basically after the new login page, it looks mostly exactly as before, the biggest visible change is that they added this "Allow Notifications" part…@demonslay335 pic.twitter.com/Eqie3YsEnY
— MalwareHunterTeam (@malwrhunterteam) July 23, 2021
Like other ransomware operations, LockBit 2.0 implemented a ransomware-as-a-service model and maintains a network of affiliates.
The LockBit ransomware first appeared in the threat landscape in September 2019, the author of the malware improved it over the years implementing new features and providing supports to their affiliates.
After ransomware ads were banned on hacking forum, the LockBit operators set up their own leak site promoting the latest variant and advertising the LockBit 2.0 affiliate program.
LockBit 2.0 ransomware says:
— MalwareHunterTeam (@malwrhunterteam) July 17, 2021
"Would you like to earn millions of dollars?
Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company."@demonslay335 @VK_Intel pic.twitter.com/fYxFbVQ6gX
The leak site provides a list of features implemented in the new variant, one of the most interesting is the capability to use group policy update to encrypt a Windows domain.
This means that once the attackers have gained access to a target network and compromised the domain controller, the ransomware is able to propagate within the domain.
The ransomware will create new group policies on the domain controller that are pushed to all of the machines in the Windows domain.
The policies disable security measures, such as Microsoft Defender and alerts, and prevent the OS from submitting samples to Microsoft to avoid detection.
Below is the policy shared by BleepingComputer:
[General]
Version=%s
displayName=%s
[Software\Policies\Microsoft\Windows Defender;DisableAntiSpyware]
[Software\Policies\Microsoft\Windows Defender\Real-Time Protection;DisableRealtimeMonitoring]
[Software\Policies\Microsoft\Windows Defender\Spynet;SubmitSamplesConsent]
[Software\Policies\Microsoft\Windows Defender\Threats;Threats_ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\UX Configuration;Notification_Suppress]The ransomware achieves persistence by creating a scheduled task on Windows systems.
Another feature implemented by LockBit 2.0 is print bombing the ransom note, experts already observed this feature implemented by the Egregor Ransomware gang.
Below the list of feature published on the leak site:
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, LockBit 2.0)
[adrotate banner=”5″]
[adrotate banner=”13″]
