The Latest Development in Ransomware – Distribution by Group Policy

As if ransomware distribution wasn’t effective enough, LockBit 2.0 reportedly has a new feature to keep an eye on. According to researchers, a new version of LockBit 2.0 leverages Active Directory group policies to automate the encryption process. Once actors have gained control of a domain controller, they deploy group policies to:

• disable Microsoft Defender’s real-time protection, alerts, and other default actions when detecting malicious files,
• create other group policies, including the creation of a scheduled task on Windows devices that launch the ransomware executable,
• run a command to push the group policy update to all of the machines in the Windows domain.

Additionally, LockBit 2.0 borrowed a page out of the Egregor ransomware book as it print bombs networked printers by repeatedly printing the ransom note to gain attention. Read more at BleepingComputer.