Group policies enable ransomware spread

LockBit 2.0 ransomware can spread across a local network through group policies created on a hijacked domain controller.

The creation of ransomware became an underground industry some time ago, with technical support service, press centers, and advertising campaigns. As with any other industry, creating a competitive product requires continual improvement. LockBit, for example, is the latest in a series of cybercrime groups advertising the ability to automate infection of local computers through a domain controller.

LockBit follows the Ransomware as a Service (RaaS) model, providing its clients (the actual attackers) with infrastructure and malware, and receiving a share of the ransom. Breaking in to the victim’s network is the contractor’s responsibility, and as far as the ransomware’s distribution across the network, LockBit has designed a fairly interesting technology.

LockBit 2.0’s distribution

After the attackers gain access to the network and reach the domain controller, Bleeping Computer reports, they run their malware on it, creating new user group policies, which are then automatically pushed to each device on the network. The policies first disable the operating system’s built-in security technology. Other policies then create a scheduled task on all Windows machines to run the ransomware executable.

Bleeping Computer cites researcher Vitali Kremez as saying that the ransomware uses the Windows Active Directory API to perform Lightweight Directory Access Protocol (LDAP) queries to get a list of computers. LockBit 2.0 then bypasses User Account Control (UAC) and runs silently, without triggering any alerts on the device being encrypted.

Apparently, this represents the first-ever spread of mass-market malware through user group policies. In addition, LockBit 2.0 delivers ransom notes rather whimsically, by printing the note on all printers connected to the network.

How can I protect my company from similar threats?

Keep in mind that a domain controller is really a Windows server, and as such, it needs protection. Kaspersky Security for Windows Server, which comes with most of our endpoint security solutions for business and protects servers running Windows from most modern threats, should be part of your arsenal.

Ransomware spreading through group policies represents the last stage of an attack, however. Malicious activity should become apparent much earlier on, for example when attackers first enter the network or attempt to hijack the domain controller. Managed Detection and Response solutions are particularly effective at detecting the signs of that type of attack.

Most important, cybercriminals often use social engineering techniques and phishing e-mail to get initial access. To keep your employees from falling for such tricks, improve their cybersecurity awareness with regular training.