Security News > 2021 > July > LockBit ransomware automates Windows domain encryption via group policies
A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies.
After ransomware topics were banned on hacking forums [1, 2], LockBit began promoting the new LockBit 2.0 ransomware-as-a-service operation on their data leak site.
In samples of the LockBit 2.0 ransomware discovered by MalwareHunterTeam and analyzed by BleepingComputer and Vitali Kremez, the threat actors have automated this process so that the ransomware distributes itself throughout a domain when executed on a domain controller.
Other group policies are created, including one to create a scheduled task on Windows devices that launch the ransomware executable.
While MountLocker had previously used Windows Active Directory APIs to perform LDAP queries this is the first time we have seen a ransomware automate the distribution of the malware via group policies.
"A new version of the LockBit 2.0 ransomware has been found that automates the interaction and subsequent encryption of a Windows domain using Active Directory group policies."
News URL
Related news
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’ (source)
- Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization (source)
- Play ransomware exploited Windows logging flaw in zero-day attacks (source)