A new strain of LockBit ransomware has been uncovered that encrypts a Windows domain automatically. LockBit 2.0 ransomware, which was recently found, has a number of complex capabilities and is now exploiting Active Directory group restrictions.
What Transpired?
The LockBit ransomware operation has been operational since September 2019, and the attackers have begun advertising the new LockBit 2.0 RaaS after ransomware subjects were banned on hacking forums.
- LockBit 2.0 incorporates a number of features that have previously been employed by other ransomware attacks.
- One of its standout characteristics is the ability to distribute ransomware using Windows domains without the need of scripts.
- The malware sets new group policies on the domain controller every time it is run. After that, these policies are implemented to all devices on the specified network.
- Furthermore, the new policies turn off Defender’s real-time protection, notifications, sample submission to Microsoft, and default actions for dangerous files that are discovered.
Additionally –
Other group rules are created by the new variant, such as the introduction of scheduled tasks on Windows PCs to run ransomware. Following that, a special command is sent to update the group policy for all Windows domain machines.
- The malware leverages Windows Active Directory APIs to perform LDAP queries on the domain controller’s ADS to identify all computers on the network during the policy update process.
- The ransomware.exe file is copied to every desktop using this list, and group policies configure the scheduled job to run the malware via the UAC bypass.
- It enables actors to operate ransomware in the background without encrypting any alerts that are sent outwardly.
Furthermore, the LockBit 2.0 ransomware now includes a feature previously employed by the Egregor Ransomware operation. Print-bombing ransom letters to all networked printers is part of this feature.
The LockBit 2.0 ransomware has adopted a novel method of spreading its virus by attacking active directory domain controllers. It also provides the ability to stop the anti-malware solution on Windows PCs and leverages built-in global policy updates. This demonstrates that the Lockbit developers are well-versed in the Windows operating system and are not leaving any stone unturned in their efforts to attract users.
To read more, please check eScan Blog
