Home Cyber Crime LockBit ransomware automates Windows domain encryption via group policies

LockBit ransomware automates Windows domain encryption via group policies



A new model of the LockBit 2.0 ransomware has been discovered that automates the encryption of a Home windows area utilizing Energetic Listing group insurance policies.

The LockBit ransomware operation launched in September 2019 as a ransomware-as-a-service, the place risk actors are recruited to breach networks and encrypt units.

In return, the recruited associates earn 70-80% of a ransom fee, and the LockBit builders hold the remainder.

Through the years, the ransomware operation has been very lively, with a consultant of the gang selling the exercise and offering assist on hacking boards.

After ransomware subjects had been banned on hacking boards [1, 2], LockBit  started selling the brand new LockBit 2.0 ransomware-as-a-service operation on their information leak website.

LockBit 2.0 affiliate program features
LockBit 2.0 associates program options

Included with the brand new model of LockBit are quite a few superior options, with two of them outlined beneath.

Makes use of group coverage replace to encrypt community

LockBit 2.0 promotes an extended checklist of options with many utilized by different ransomware operations previously.

Nevertheless, one promoted characteristic caught out the place the builders declare to have automated the ransomware distribution all through a Home windows area with out the necessity for scripts.

When risk actors breach a community and at last acquire management of the area controller, they make the most of third-party software program to deploy scripts that disable antivirus after which execute the ransomware on the machines on the community.

In samples of the LockBit 2.0 ransomware found by MalwareHunterTeam and analyzed by BleepingComputer and Vitali Kremez, the risk actors have automated this course of in order that the ransomware distributes itself all through a site when executed on a site controller.

When executed, the ransomware will create a brand new group coverage replace that disables Microsoft Defender’s real-time safety, alerts, submitting samples to Microsoft, and default actions when detecting malicious information.

[SoftwarePoliciesMicrosoftWindows Defender;DisableAntiSpyware]
[SoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection;DisableRealtimeMonitoring]
[SoftwarePoliciesMicrosoftWindows DefenderSpynet;SubmitSamplesConsent]
[SoftwarePoliciesMicrosoftWindows DefenderThreats;Threats_ThreatSeverityDefaultAction]
[SoftwarePoliciesMicrosoftWindows DefenderThreatsThreatSeverityDefaultAction]
[SoftwarePoliciesMicrosoftWindows DefenderThreatsThreatSeverityDefaultAction]
[SoftwarePoliciesMicrosoftWindows DefenderThreatsThreatSeverityDefaultAction]
[SoftwarePoliciesMicrosoftWindows DefenderThreatsThreatSeverityDefaultAction]
[SoftwarePoliciesMicrosoftWindows DefenderUX Configuration;Notification_Suppress]

The ransomware will then run the next command to push the group coverage replace to all the machines within the Home windows area.

powershell.exe -Command "Get-ADComputer -filter * -Searchbase '%s' | foreach{ Invoke-GPUpdate -computer $_.identify -force -RandomDelayInMinutes 0}"

Kremez instructed BleepingComputer that in this course of, the ransomware will even use Home windows Energetic Listing APIs to carry out LDAP queries towards the area controller’s ADS to get an inventory of computer systems.

Utilizing this checklist, the ransomware executable shall be copied to every machine’s desktop and a scheduled process shall be created to launch the ransomware utilizing the UAC bypass beneath:

SoftwareMicrosoftWindows NTCurrentVersionICMCalibration "DisplayCalibrator"

Because the ransomware shall be executed utilizing a UAC bypass, this system will run silently within the background with none outward alert on the machine being encrypted.

Whereas MountLocker had previously used Windows Active Directory APIs to carry out LDAP queries that is the primary time we’ve seen a ransomware automate the distribution of the malware by way of group insurance policies.

“That is the primary ransomware operation to automate this course of, and it permits a risk actor to disable Microsoft Defender and execute the ransomware on all the community with a single command,” Kremez instructed BleepingComputer.

“A brand new model of the LockBit 2.0 ransomware has been discovered that automates the interplay and subsequent encryption of a Home windows area utilizing Energetic Listing group insurance policies.”

“The malware added a novel method of interacting with lively listing propagating ransomware to native domains in addition to built-in updating world coverage with anti-virus disable making “pentester” operations simpler for brand new malware operators.”

LockBit 2.0 print bombs community printers

LockBit 2.0 additionally features a characteristic beforehand used by the Egregor Ransomware operation that print bombs the ransom observe to all networked printers.

When the ransomware has completed encrypting a tool, it’s going to repeatedly print the ransom observe to any linked community printers to get the sufferer’s consideration, as proven beneath.

Print bomb of ransom notes
Print bomb of ransom notes

In an Egregor assault towards retail giant Cencosud, this characteristic induced ransom notes to shoot out of receipt printers after they carried out the assault.

Source link