Windows Domains is now encrypted by LockBit Ransomware using Group Policies

A new version of the LockBit 2.0 ransomware has been discovered that permits the encryption of a Windows domain using Active Directory automatically using Active Directory group policies. The LockBit ransomware attack started in September 2019 as a ransomware-as-a-service, where threat actors are recruited to hijack networks and encode devices.

In return, the recruited affiliates earn 70-80% of a ransom payment, and the LockBit developers keep the rest. Over the years, the ransomware operation has been very active, with a representative of the group promoting the activity and providing support on hacking forums.

After ransomware topics were banned on hacking forums [1,2], LockBit start advertising the new LockBit 2.0 ransomware-as-service operation on their data leak site. After ransomware topics were banned on hacking forums [1,2], LockBit starts promoting the new LockBit 2.0 ransomware-as-a-service operation on their data leak site.


Included with the new version of LockBit are various advanced features, with two of them outlined below.

Uses group policy update to encode network

LockBit 2.0 promotes a long list of features with many used by other ransomware operations in the past. Although, one advertise feature stuck out where the developers claim to have automated the ransomware distribution throughout a Windows domain without the need for scripts.

When threat actors hijack a network and finally gain control of the domain controller, they use third-party software to set up scripts that disable antivirus and then run the ransomware on the machines on the network. In samples of the LockBit 2.0 ransomware discovered by MalwareHunterTeam and examined by our experts and Vitali Kremez, the threat actors have automated this process so that the ransomware distributes itself throughout a domain when executed on a domain controller.

When run, the ransomware will create new group policies on the domain controller that are then pushed out to every device on the network. These policies disable Microsoft Defender’s real-time protection, warn, submitting samples to Microsoft, and default actions when detecting malicious files, as mentioned below:





[Software\Policies\Microsoft\Windows Defender;DisableAntiSpyware]

[Software\Policies\Microsoft\Windows Defender\Real-Time Protection;DisableRealtimeMonitoring]

[Software\Policies\Microsoft\Windows Defender\Spynet;SubmitSamplesConsent]

[Software\Policies\Microsoft\Windows Defender\Threats;Threats_ThreatSeverityDefaultAction]

[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]

[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]

[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]

[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]

[Software\Policies\Microsoft\Windows Defender\UX Configuration;Notification_Suppress]

Various group policies are created, including one to create a scheduled task on Windows devices that run the ransomware executable. The ransomware will then execute the following command to push the group policy update to all of the machines in the Windows domain.

powershell.exe -Command “Get-ADComputer -filter * -Searchbase ‘%s’ | foreach{ Invoke-GPUpdate -computer $ -force -RandomDelayInMinutes 0}”

Kremez told our experts that during this process, the ransomware will also use Windows Active Directory APIs to perform LDAP queries against the domain controller’s ADS to get a list of systems.

Using the list, the ransomware executable will be copied to each device’s desktop and the scheduled task configured by group policies will start the ransomware using the UAC bypass below:

Software\Microsoft\Windows NT\CurrentVersion\ICM\Calibration “DisplayCalibrator”

As the ransomware will be executed using a UAC bypass, the program will execute silently in the background without any outward alert on the device being encrypted. While MountLocker had formerly used Windows Active Directory APIs to perform LDAP queries this is the first time we have seen ransomware automate the distribution of the malware via group policies.

“This is the first ransomware operation to automate this process, and it permits a threat actor to disable Microsoft Defender and run the ransomware on the entire network with a single command,” Kremez told our experts.

“A new version of the LockBit 2.0 ransomware has been found that automates the interaction and consecutive encryption of a Windows domain using Active Directory group policies.” “The Trojan added a novel approach of interacting with active directory propagating with anti-virus disable making ‘pentester’ operations easier for new malware operators.”

How LockBit 2.0 Print Bombs Network Printers?

LockBit 0.2 also consists up of a feature prior used by the Egregor Ransomware operation that prints bombs the ransom note to all networked printers.

When the ransomware has finished encrypting a device, it will again print the ransom note to any connected network printers to get the victim’s attention, as mentioned below:

Leave a Reply