Ransomware Lockbit and Windows Server 2019 DC

%3CLINGO-SUB%20id%3D%22lingo-sub-1660736%22%20slang%3D%22en-US%22%3ERansomware%20Lockbit%20and%20Windows%20Server%202019%20DC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1660736%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%26nbsp%3B%3C%2FP%3E%3CP%3EToday%20I've%20detected%20a%20Lockbit%20ramsonware%20attack%26nbsp%3B%20at%207.00%20a.m%20(%3CEM%3Eout%20of%20working%20hours%3C%2FEM%3E)%20on%20my%20Windows%20Server%202010%20DC%20that%20is%20actually%20unusable.%3C%2FP%3E%3CP%3EThe%20question%20is%3A%20how%20is%20it%20possible%20that%20on%20a%20DC%20used%20exclusively%20by%20me%20-%20Domain%20Administrator%20-%20and%20only%20for%20maintenance%20purpose%20and%20not%20all%20days%20but%20few%20day%20at%20month%20I've%20detected%20this%20type%20of%20attack%3F%3C%2FP%3E%3CP%3EThe%20DC%20as%20only%20two%20roles%3A%3C%2FP%3E%3CUL%3E%3CLI%3EActive%20diretctory%3C%2FLI%3E%3CLI%3EWSUS%20server.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI%20don't%20use%20it%20to%20browse%20internet%20with%20exception%20when%20I%20must%20download%20installation%20file%20from%20site%20as%20Microsoft%2C%20Symantec%2C%20and%20so%20on...%3C%2FP%3E%3CP%3EIn%20particular%20the%20last%20access%20to%20my%20DC%20was%20Friday%20while%20the%20attact%20detected%20was%20today%20(saturday)%20at%207.00%20A.M.%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%3F%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22lockbit.png%22%20style%3D%22width%3A%20768px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F217982i194188635D90A29D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22lockbit.png%22%20alt%3D%22lockbit.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1660736%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1660859%22%20slang%3D%22en-US%22%3ERe%3A%20Ransomware%20Lockbit%20and%20Windows%20Server%202019%20DC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1660859%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20browse%20here%20to%20lean%20more%20about%20the%20ransomware.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fbfy.tw%2FP2gy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%3Ehttps%3A%2F%2Fbfy.tw%2FP2gy%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1661480%22%20slang%3D%22en-US%22%3ERe%3A%20Ransomware%20Lockbit%20and%20Windows%20Server%202019%20DC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1661480%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F51719%22%20target%3D%22_blank%22%3E%40Dave%20Patrick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Dave.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20reason%20of%20my%20post%20is%20not%20to%20know%20what%20is%20a%20ransomware%20or%20how%20to%20fight%20aganist%20it%20and%20restore%20all%20things.%3C%2FP%3E%3CP%3EI%20know%20well%20this%20type%20of%20cyber%20attacks.%3C%2FP%3E%3CP%3EMy%20doubts%20regards%20how%20this%20type%20of%20malware%20can%20affect%20a%20%3CSTRONG%3EWindows%20Server%20DC%3C%2FSTRONG%3E%20that%2C%20for%20definition%2C%20is%20not%20used%20to%20browse%20internet%2C%20access%20mail%2C%20and%20do%20all%20other%20activities%20that%20usually%20a%20Client%20computer%20does%20any%20day.%3C%2FP%3E%3CP%3EThis%20time%20the%20ransomware%20has%20attacked%20a%20%3CSTRONG%3Eserver%3C%2FSTRONG%3E%20not%20a%20client.%3C%2FP%3E%3CP%3EAnd%20this%20server%2C%20in%20particular%2C%20fill%20only%20the%20%3CSTRONG%3EAD%20role%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EWSUS%20role%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3ENothing%20else.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi. 

Today I've detected a Lockbit ramsonware attack  at 7.00 a.m (out of working hours) on my Windows Server 2010 DC that is actually unusable.

The question is: how is it possible that on a DC used exclusively by me - Domain Administrator - and only for maintenance purpose and not all days but few day at month I've detected this type of attack?

The DC as only two roles:

  • Active diretctory
  • WSUS server.

I don't use it to browse internet with exception when I must download installation file from site as Microsoft, Symantec, and so on...

In particular the last access to my DC was Friday while the attact detected was today (saturday) at 7.00 A.M. 

Any idea?

Thanks in advance

lockbit.png

 

 

5 Replies

You can browse here to lean more about the ransomware. 

https://bfy.tw/P2gy

 

 

 

@Dave Patrick 

Hi Dave. 

The reason of my post is not to know what is a ransomware or how to fight aganist it and restore all things.

I know well this type of cyber attacks.

My doubts regards how this type of malware can affect a Windows Server DC that, for definition, is not used to browse internet, access mail, and do all other activities that usually a Client computer does any day.

This time the ransomware has attacked a server not a client.

And this server, in particular, fill only the AD role and WSUS role.

Nothing else.

 

You asked how it happens. The first step is understanding how it works. So you can browse the links in order to get an understanding. Asking here for help may be more appropriate.

https://answers.microsoft.com/en-us/protect/forum

https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bd-p/MicrosoftDefenderATP

 

 

 

 

 

 

 

 

Your DC patched?
There are many vectors.
You recording security logs and shipping them off to a SIEM/SOAR platforms?
SMB, SAM-R, RDP, PWshell, WMI...

@cosimo mercuro 

 

Do your servers are up to date with the below points.

- Are the security updates on the system are latest 

- Antivirus software on the server 

 

There are a lot of reasons due to which the systems are attacked and in my past, I saw the direct attack happened to DC sometimes the virus is already in your environment just the target gets changed and we realize it later on.

 

Go through the doc and follow the guidelines so that systems will be secure and how you can prevents the future attacks

https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-c...