In samples of the LockBit 2.0 ransomware, which was discovered by MalwareHunterTeam, a new version of LockBit 2.0 was found, which automates the encryption of a Windows domain using Active Directory group policies.<\/p>\n\n\n\n
After they have broken through a network and gained control of the domain controller, threat actors use third-party software to deploy scripts that disable antivirus and execute the ransomware on the computer in the network.<\/p>\n\n\n\n
In samples of the LockBit 2.0 ransomware discovered, threat actors automate the process to ensure that the ransomware distributes itself in a domain when run on a domain controller.<\/p>\n\n\n\n
This creates new group policies for the domain controller, which are then transferred to every device in the network.<\/p>\n\n\n\n
These policies can then disable Microsoft Defender’s real-time protection, trigger alerts, submit samples to Microsoft, and take default actions to detect malicious files.<\/p>\n\n\n