New strain of ransomware spreads via SYSVOL shares

Researchers at Varonis have uncovered a new ransomware variant that spreads and tracks its progress via SYSVOL share on Active Directory Domain Controllers. The ransomware encrypts files and appends them with the extension, '.SaveTheQueen' and creates a file called 'hourly' on the SYSVOL share folder. SYSVOL is a crucial folder on each domain controller, used to deliver policy (GPO) and logon scripts to domain workstations. The content of the SYSVOL folder is replicated between the domain controllers to keep data synchronized between organization sites. Writing to SYSVOL requires high domain privileges, however, once compromised, it becomes a powerful asset for… [Continue Reading]