{
	"id": "28b48290-7c79-4906-9489-f0ad53d357b7",
	"created_at": "2026-04-06T00:15:33.094481Z",
	"updated_at": "2026-04-10T13:12:17.096895Z",
	"deleted_at": null,
	"sha1_hash": "5a26aebe720319061bad2a0c5ae0e0d897798311",
	"title": "LockBit ransomware now encrypts Windows domains using group policies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4431899,
	"plain_text": "LockBit ransomware now encrypts Windows domains using group\r\npolicies\r\nBy Lawrence Abrams\r\nPublished: 2021-07-27 · Archived: 2026-04-05 14:34:26 UTC\r\nA new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using\r\nActive Directory group policies.\r\nThe LockBit ransomware operation launched in September 2019 as a ransomware-as-a-service, where threat actors are\r\nrecruited to breach networks and encrypt devices.\r\nIn return, the recruited affiliates earn 70-80% of a ransom payment, and the LockBit developers keep the rest.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nOver the years, the ransomware operation has been very active, with a representative of the gang promoting the activity and\r\nproviding support on hacking forums.\r\nAfter ransomware topics were banned on hacking forums [1, 2], LockBit  began promoting the new LockBit 2.0\r\nransomware-as-a-service operation on their data leak site.\r\nLockBit 2.0 affiliate program features\r\nIncluded with the new version of LockBit are numerous advanced features, with two of them outlined below.\r\nUses group policy update to encrypt network\r\nLockBit 2.0 promotes a long list of features with many used by other ransomware operations in the past.\r\nHowever, one promoted feature stuck out where the developers claim to have automated the ransomware distribution\r\nthroughout a Windows domain without the need for scripts.\r\nWhen threat actors breach a network and finally gain control of the domain controller, they utilize third-party software to\r\ndeploy scripts that disable antivirus and then execute the ransomware on the machines on the network.\r\nIn samples of the LockBit 2.0 ransomware discovered by MalwareHunterTeam and analyzed by BleepingComputer\r\nand Vitali Kremez, the threat actors have automated this process so that the ransomware distributes itself throughout a\r\ndomain when executed on a domain controller.\r\nWhen executed, the ransomware will create new group policies on the domain controller that are then pushed out to every\r\ndevice on the network. \r\nThese policies disable Microsoft Defender's real-time protection, alerts, submitting samples to Microsoft, and default actions\r\nwhen detecting malicious files, as shown below.\r\n[General]\r\nVersion=%s\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/\r\nPage 3 of 6\n\ndisplayName=%s\r\n[Software\\Policies\\Microsoft\\Windows Defender;DisableAntiSpyware]\r\n[Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection;DisableRealtimeMonitoring]\r\n[Software\\Policies\\Microsoft\\Windows Defender\\Spynet;SubmitSamplesConsent]\r\n[Software\\Policies\\Microsoft\\Windows Defender\\Threats;Threats_ThreatSeverityDefaultAction]\r\n[Software\\Policies\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction]\r\n[Software\\Policies\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction]\r\n[Software\\Policies\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction]\r\n[Software\\Policies\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction]\r\n[Software\\Policies\\Microsoft\\Windows Defender\\UX Configuration;Notification_Suppress]\r\nOther group policies are created, including one to create a scheduled task on Windows devices that launch the ransomware\r\nexecutable.\r\nThe ransomware will then run the following command to push the group policy update to all of the machines in the\r\nWindows domain.\r\npowershell.exe -Command \"Get-ADComputer -filter * -Searchbase '%s' | foreach{ Invoke-GPUpdate -computer $_.name -force -R\r\nKremez told BleepingComputer that during this process, the ransomware will also use Windows Active Directory APIs to\r\nperform LDAP queries against the domain controller's ADS to get a list of computers.\r\nUsing this list, the ransomware executable will be copied to each device's desktop and the scheduled task configured by\r\ngroup policies will launch the ransomware using the UAC bypass below:\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\Calibration \"DisplayCalibrator\"\r\nAs the ransomware will be executed using a UAC bypass, the program will run silently in the background without any\r\noutward alert on the device being encrypted.\r\nWhile MountLocker had previously used Windows Active Directory APIs to perform LDAP queries this is the first time we\r\nhave seen a ransomware automate the distribution of the malware via group policies.\r\n\"This is the first ransomware operation to automate this process, and it allows a threat actor to disable Microsoft Defender\r\nand execute the ransomware on the entire network with a single command,\" Kremez told BleepingComputer.\r\n\"A new version of the LockBit 2.0 ransomware has been found that automates the interaction and subsequent encryption of a\r\nWindows domain using Active Directory group policies.\"\r\n\"The malware added a novel approach of interacting with active directory propagating ransomware to local domains as well\r\nas built-in updating global policy with anti-virus disable making \"pentester\" operations easier for new malware operators.\"\r\nLockBit 2.0 print bombs network printers\r\nLockBit 2.0 also includes a feature previously used by the Egregor Ransomware operation that print bombs the ransom note\r\nto all networked printers.\r\nWhen the ransomware has finished encrypting a device, it will repeatedly print the ransom note to any connected network\r\nprinters to get the victim's attention, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/\r\nPage 4 of 6\n\nPrint bomb of ransom notes\r\nIn an Egregor attack against retail giant Cencosud, this feature caused ransom notes to shoot out of receipt printers after they\r\nconducted the attack.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/\r\nPage 5 of 6\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/"
	],
	"report_names": [
		"lockbit-ransomware-now-encrypts-windows-domains-using-group-policies"
	],
	"threat_actors": [],
	"ts_created_at": 1775434533,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a26aebe720319061bad2a0c5ae0e0d897798311.pdf",
		"text": "https://archive.orkl.eu/5a26aebe720319061bad2a0c5ae0e0d897798311.txt",
		"img": "https://archive.orkl.eu/5a26aebe720319061bad2a0c5ae0e0d897798311.jpg"
	}
}