Security News > 2021 > July > LockBit ransomware automates Windows domain encryption via group policies
A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies.
After ransomware topics were banned on hacking forums [1, 2], LockBit began promoting the new LockBit 2.0 ransomware-as-a-service operation on their data leak site.
In samples of the LockBit 2.0 ransomware discovered by MalwareHunterTeam and analyzed by BleepingComputer and Vitali Kremez, the threat actors have automated this process so that the ransomware distributes itself throughout a domain when executed on a domain controller.
Other group policies are created, including one to create a scheduled task on Windows devices that launch the ransomware executable.
While MountLocker had previously used Windows Active Directory APIs to perform LDAP queries this is the first time we have seen a ransomware automate the distribution of the malware via group policies.
"A new version of the LockBit 2.0 ransomware has been found that automates the interaction and subsequent encryption of a Windows domain using Active Directory group policies."
News URL
Related news
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- Use Windows event logs for ransomware investigations, JPCERT/CC advises (source)
- Microsoft says more ransomware stopped before reaching encryption (source)
- New Qilin ransomware encryptor features stronger encryption, evasion (source)
- New Qilin.B Ransomware Variant Emerges with Improved Encryption and Evasion Tactics (source)