LockBit 2.0 Ransomware uses Group Policies To Encrypt Windows Domains

Cyber criminals unleashed a new propagation method that creates new group policies, increasing the threat to all Windows networks.

These group policies disable Microsoft Defender’s protections and create a scheduled task on the endpoints to execute the ransomware.

In addition to utilizing the double extortion threat of releasing stolen data unless a ransom is paid, Lockbit’s operators also maintain a darkweb site with a list of their victims, a countdown to when the data will be leaked, and access to the data once the time has expired. Lockbit 2.0’s ransom note also contains a message attempting to recruit unscrupulous employees or contractors to provide access to corporate networks for the Lockbit operators. These increased threats make it even more critical to ensure highly sensitive endpoints are properly secured.

What Is It?

A new variant of LockBit 2.0 ransomware unearthed by the MalwareHunterTeam contains a previously unseen propagation method. If the ransomware is executing on a Microsoft Windows domain controller, it can create new group policies which are deployed to all endpoints in that domain, disabling various protections and executing the Lockbit 2.0 ransomware. This capability represents an increased threat to all Windows networks and highlights the need to ensure highly sensitive endpoints, such as domain controllers, are properly secured.

First seen in September 2019, LockBit ransomware uses the popular ransomware-as-a-service (RaaS) model for distribution, via “affiliates” who are responsible for compromising networks and endpoints and then deploying the ransomware. A revenue sharing approach is used to split ransom payments between the affiliate and the LockBit operators, with 10-30% of the payments going to the operators, dependent on the size of the ransom. It has been reported that in Q1 2021, LockBit held a 7.5% share of the ransomware market, third behind REvil and Conti. LockBit also follows suit with most other major ransomware operators by utilizing the so-called double extortion approach of threatening to release data stolen from victim’s networks if they do not pay the ransom in a timely fashion. The LockBit operators maintain a darkweb site to list recent victims and how much time remains before their data will be released, it also allows for the downloading of data stolen from victims if the countdown has expired.

Figure 2: LockBit Darkweb Site Stolen Data Download (Redacted)

A LockBit ransomware attack chain consists of an affiliate obtaining, or purchasing, access to a target organization’s network. Once an initial foothold is established, the attacker will move laterally through the network, performing reconnaissance to determine the highest value endpoints, such as file servers, and exfiltrating sensitive data to be used for double extortion purposes. Ordinarily, the attacker will also work to deploy the ransomware to as many endpoints as possible and synchronize execution of the ransomware to ensure the maximum number of files are encrypted. However, in this case, if the attacker can locate and compromise a Microsoft Windows domain controller, LockBit 2.0 can use it to distribute new group policies to all endpoints in the domain. These group policies disable Microsoft Defender’s protections and created a scheduled task on the endpoints to execute the ransomware. Encrypted files are given the .lockbitfile extension, which is given its own icon, using the LockBit logo.

Figure 3: Encrypted files with .lockbit file extension

One interesting component of the Lockbit 2.0 ransom note, which is displayed by changing the wallpaper of the desktop of the infected endpoint, is that it contains a message (highlighted in the red rectangle in the figure below) attempting to recruit employees to provide access to corporate networks for the Lockbit 2.0 operators. The message begins by asking the question “Would you like to earn millions of dollars?”. While this might seem odd, given it is displayed on an infected system which is obviously part of an already compromised network, it is potentially aimed at unscrupulous external contractors who may have been called in to assist with the ransomware incident.

Figure 4: Ransom wallpaper

From a technical perspective, the LockBit 2.0 sample uses various techniques to attempt to evade detection and to make analysis more difficult. The method used by the sample to detect if it is being debugged is described in detail further below. As with other ransomware variants, the sample contains a large, encrypted list of process name strings which are terminated if they are found to be executing. These processes either relate to various endpoint security and malware analysis tools or applications such as databases, mail servers and clients, and Office productivity suites. The latter group may have locked access to sensitive data files while they are executing, files which would be highly advantageous for an attacker to encrypt, including databases and mail and document files.

Figure 5: List of Process Name Strings

Another common malware tactic is to obfuscate the calls made to the Windows API (Application Programming Interface), by not utilizing an import table and using one of several techniques to locate and call Windows API routines directly. LockBit 2.0 uses this tactic and others which mean that the structure of the executable itself is unusual. Windows executables use the Portable Executable (PE) file format, which is made up of specifically formatted headers and components called sections. Most Windows executables will contain sections which include .text, .data, .rsrc and .reloc, whereas LockBit 2.0 only contains .text and .data. The authors may have had many reasons for this, and while the sample is still a valid Windows executable, this approach does make the sample appear suspicious, particularly to a detection technology such as BluVector’s patented Machine Learning Engine (MLE). The following figures show the sections found in the sample and those found in the executable for the Notepad utility which comes as part of Microsoft Windows.Figure 6: Lockbit 2.0 Sections

Figure 7: Notepad.exe Sections

When analyzing a malware sample, malware analysts and reverse engineers use a debugger to follow and control the execution of a sample. Obviously, malware authors are aware of this and employ various techniques to detect if a sample is being executed in a debugger. In the case of this sample, debugger detection is accomplished by checking the value of the NtGlobalFlag, which is a well-known, but infrequently used method. The NtGlobalFlag is a specific byte which is part of the Process Environment Block (PEB), a data structure which deliberately poorly documented by Microsoft, as it intended for use only by the operating system itself. The NtGlobalFlag byte is located at offset 0x68 in the PEB. If the sample is being debugged, the NtGlobalFlag will be set to 0x70, which can also be represented as a lower-case letter p. The code from the sample checks the value of the NtGlobalFlag byte and if it shows the process is being debugged, the code will place itself in an infinite loop, which it achieves by having a JMP command jump to itself (highlighted in red in the figure below). This NtGlobalFlag check is the first code executed by the sample and is therefore obvious and is quite straightforward to circumvent.

Figure 8: Debugger checking code

How Does It Propagate?

The malware can propagate itself if it infects a Windows domain controller, it can create new group policies and deploy them, resulting in the infection of all endpoints in that domain. The most common initial attack vectors for LockBit ransomware are compromised RDP (Remote Desktop Protocol) servers and phishing emails.

When/How Did BluVector Detect It?

Two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown both samples would have been detected 91 months prior to their release in July 2021.

All Threat Reports