LockBit 2.0, the first ransomware that uses group policies to encrypt Windows domains

A new variant of the LockBit 2.0 ransomware is now able to encrypt Windows domains by using Active Directory group policies.

Researchers from MalwareHunterTeam and BleepingComputer, along with the malware expert Vitali Kremez reported spotted a new version of the LockBit 2.0 ransomware that encrypts Windows domains by using Active Directory group policies. Kramez explained that this is the first ransomware that automates this process.

Like other ransomware operations, LockBit 2.0 implemented a ransomware-as-a-service model and maintains a network of affiliates.

The LockBit ransomware first appeared in the threat landscape in September 2019, the author of the malware improved it over the years implementing new features and providing supports to their affiliates.

After ransomware ads were banned on hacking forum, the LockBit operators set up their own leak site promoting the latest variant and advertising the LockBit 2.0 affiliate program. 

The leak site provides a list of features implemented in the new variant, one of the most interesting is the capability to use group policy update to encrypt a Windows domain.

This means that once the attackers have gained access to a target network and compromised the domain controller, the ransomware is able to propagate within the domain.

The ransomware will create new group policies on the domain controller that are pushed to all of the machines in the Windows domain.

The policies disable security measures, such as Microsoft Defender and alerts, and prevent the OS from submitting samples to Microsoft to avoid detection.

Below is the policy shared by BleepingComputer:

[General]
Version=%s
displayName=%s
[Software\Policies\Microsoft\Windows Defender;DisableAntiSpyware]
[Software\Policies\Microsoft\Windows Defender\Real-Time Protection;DisableRealtimeMonitoring]
[Software\Policies\Microsoft\Windows Defender\Spynet;SubmitSamplesConsent]
[Software\Policies\Microsoft\Windows Defender\Threats;Threats_ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\UX Configuration;Notification_Suppress]

The ransomware achieves persistence by creating a scheduled task on Windows systems.

Another feature implemented by LockBit 2.0 is print bombing the ransom note, experts already observed this feature implemented by the Egregor Ransomware gang.

Below the list of feature published on the leak site:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, LockBit 2.0)

[adrotate banner=”5″]

[adrotate banner=”13″]