New strain of ransomware spreads via SYSVOL shares

Researchers at Varonis have uncovered a new ransomware variant that spreads and tracks its progress via SYSVOL share on Active Directory Domain Controllers.

The ransomware encrypts files and appends them with the extension, '.SaveTheQueen' and creates a file called 'hourly' on the SYSVOL share folder.

SYSVOL is a crucial folder on each domain controller, used to deliver policy (GPO) and logon scripts to domain workstations. The content of the SYSVOL folder is replicated between the domain controllers to keep data synchronized between organization sites. Writing to SYSVOL requires high domain privileges, however, once compromised, it becomes a powerful asset for attackers, who can use it to spread malicious content quickly through the domain.

Although the ransomware doesn't feature any unusual techniques, the attackers' use of Active Directory creatively to spread the dropper, and the malware is an interesting development and presented some stiff challenges for the researchers.

It's believed the attackers wrote the ransomware with the built-in winlogon.exe injection and file encryption functionality. They then obfuscated the malicious code with ConfuserEx, wrapped the obfuscated code with Donut and further obfuscated the result with base64 and Gzip to hide their tracks.

Once they had elevated privileges on the victim's domain they used them to copy the encoded malware and the schedule task to the domain’s SYSVOL share. PowerShell code was used on devices in the domain to propagate the malware and log the progress of the attack in SYSVOL.

You can find out about the attack in more detail on the Varonis blog.

Photo credit: Ton Snoei / Shutterstock