Ransomware attacks continue to rattle organizations across the globe. Especially worrisome is the fact that many of them are exploiting Active Directory (AD), a crucial technology that forms the very foundation of most of today’s IT environments.

Access to an organization’s AD is invaluable to attackers for to two key reasons. One, AD is used to store a  plethora of identity-related information including user permissions, passwords, and devices present in the network. Two, it provides central management of various entities in the network including servers, workstations, and applications.

 Take for example LockBit ransomware 2.0, which is an improved version of the LockBit ransomware that was first discovered in 2019. The LockBit ransomware gang distributes the malware using the Ransomware as a Service model, where the attackers package the malware with all the necessary tools needed to carry out an attack and sell it to affiliates who execute the attack. Security researchers have found that the new variant, active since June, is being marketed by its developers as the fastest ransomware available in the market, as it can automatically encrypt domain-joined systems in the network by leveraging AD group policy.

Group policy is a feature in AD that lets administrators centrally manage users and computers joined to a domain. Administrators can block users from installing any third-party software, configure scripts that run during device start-up or shutdown, block access to the command prompt, and much more. Simply put, with Group Policy, administrators can control how devices in the network work. But without it, administrators will have to individually login into each computer to make any changes.

 In the case of LockBit 2.0, researchers have found that once the ransomware makes its way to the domain controller (DC), it creates group policies that can disable Windows Defender and execute the ransomware module in each machine.

 Similarly, other ransomware strains such as Conti also rely on gaining control over the DC and spreading to the devices in the network.

 AD misconfigurations such as weak passwords for user accounts including domain admin accounts, presence of inactive accounts with non-expiring passwords, unchecked user privileges are all factors that attackers exploit to gain control over the DC. To prevent falling prey to ransomware attacks, organizations need to step up their efforts towards strengthening AD security.

 Download our ransomware guide to learn about:

  • Real-world examples of ransomware attacks that exploited AD.

  • Common stages in a ransomware attack that involve AD exploitation.

  • Five defense measures that can stop ransomware from taking over AD.