Why Group Policy is a ransomware target and how to prevent cyberattacks

Group Policy is an extremely powerful capability built into Microsoft Active Directory (AD) that enables centralized management of IT users and computers.

Unfortunately, powerful technologies are like the Force in Star Wars (and duct tape!): They have a light side and a dark side. Group Policy is no exception. IT professionals rely on it every day to simplify administration, enable user productivity, and maintain strong security and regulatory compliance. But Group Policy is an equally useful tool for attackers — in fact, adversaries now regularly abuse it to exfiltrate sensitive data, deploy ransomware across a network at blazing speed, disrupt vital business processes, and more.

This article explores why Group Policy is a powerful tool for both defenders and adversaries. We’ll review exactly how it is being abused and why it is a core element in many modern attacks. Then we’ll detail the key elements of a defense-in-depth approach to thwarting cyber criminals who abuse the power of Group Policy for their malicious goals.

Recent attacks featuring Group Policy abuse

Just how pervasive is the threat of Group Policy abuse? Well, threat intelligence firm Mandiant developed a five-step playbook detailing how threat actors are actively conducting attacks bent on espionage and disruption — and an entire step is devoted to exploitation of Group Policy!

Here are just a few examples of recent cyberattacks in which Group Policy is abused, sometimes in multiple ways:

• SwiftSlicer — In January 2023, Ukraine’s national news agency was hit by SwiftSlicer, malware designed to wipe files and even bring down entire Windows domains. Group Policy was used to distribute the malware to computers across the network. The attack was attributed to the Russia-backed group Sandworm. In earlier attacks, Sandworm used the same technique of abusing Group Policy to plant other malware, such as HermeticWiper and CaddyWiper.
• BlackCat — The BlackCat gang offers ransomware as a service in exchange for a percentage of resulting payouts. In 2024, a successful attack on Change Healthcare resulted in the payment of a $22 million ransom to recover data.
• Mango Sandstorm (aka Mercury or Muddywater) — A 2023 attack by this ransomware gang began in the on-premises environment and expanded to the cloud, resulting in the destruction of server farms, storage accounts, virtual machines and virtual networks. Mango Sandstorm abused Group Policy in two ways: to impair the victim organization’s security controls so that they could stage the malware undetected, and to register the scheduled task that deployed the ransomware.
• Play — Since emerging in 2022, Play has conducted successful ransomware campaigns on both government and corporate victims. Examples include compromising 1.3 million records from Swiss government servers and detailed information on 200,000 individuals in Dallas County, Texas. In an alarming development, Play now seems to be collaborating with a North Korean state-sponsored threat group.
• UNC3810 — This threat group has conducted espionage and disruptive operations against Ukrainian entities to support Russia’s invasion of its neighbor. In one attack, UNC3810 used CADDYWIPER malware to wipe data from the systems of a Ukrainian government entity. Group Policy was abused both to spread the malware to all systems joined to the victim’s Active Directory domains and to create a scheduled task to execute it.

How Group Policy can be used for good…

Group Policy is a powerful and effective tool for managing IT environments. IT administrators typically create dozens or hundreds of Group Policy objects (GPOs). Each GPO is a collection of settings that can be linked to particular groups of users or computers.

For example, defenders often establish GPOs to:

• Lock an account after a specified number of failed logon attempts.
• Block unidentified users on remote computers from connecting to a network share.
• Give all business users a standard set of bookmarks.
• Restrict access to folders with sensitive data.
• Install the same software on all domain controllers (DCs).
• Disable the command prompt on users’ machines.
• Ensure Windows updates are applied promptly.
• Disable use of the weak NTLM v1 authentication protocol.

And how it can be abused

However, an attacker with sufficient permissions can literally reverse any of these controls set up by IT teams, resulting in GPOs that:

• Allow unlimited attempts to guess an account’s password.
• Allow unidentified users on remote computers from connecting to a network share.
• Replace users’ bookmarks with links to malicious sites.
• Allow access to folders with sensitive data.
• Install malicious software on all DCs.
• Enable the command prompt on users’ machines.
• Stop applying Windows updates.
• Enable use of the weak NTLM v1 authentication protocol.

Indeed, the possibilities for GPO abuse are nearly endless: Adversaries can (and do) create new GPOs and modify or delete existing GPOs to achieve their goals. In particular, they abuse Group Policy to:

• Move from one device or system to others.
• Gain increased access rights.
• Avoid detection.
• Distribute and execute malware.
• Cover their tracks.

One common technique is to use Group Policy in combination with the Windows Task Scheduler service, which enables a user to schedule an executable to run automatically at a specific time or when a specific event (such as logon) occurs. The executable can be run as either an AD user or SYSTEM, whichever is more expedient for the attacker’s current objective, such as lateral movement, privilege escalation, ransomware deployment or malware execution. Moreover, the activity will be virtually invisible because it runs as a legitimate user and the task will remove itself afterward.

Another strategy is to take advantage of the fact that many security solutions have a Group Policy interface. For example, some organizations use Group Policy to configure and manage certain Microsoft Defender Antivirus settings. By abusing Group Policy, an adversary can exclude certain files or folders from Microsoft Defender Antivirus scans so they can plant malicious files without being detected and blocked.

Why Group Policy is so vulnerable to abuse

A number of factors help make Group Policy a particularly useful tool for attackers. In particular, Group Policy is:

• Powerful — Group Policy offers literally thousands of settings, so GPOs can be used to control nearly everything in the IT environment, including privileged users like IT admins and powerful servers like domain controllers. Moreover, Group Policy operates under a very privileged process, NT Authority\SYSTEM, so all systems process GPOs; there are no firewalls or similar controls that can prevent that from happening. Accordingly, Group Policy provides a very direct path to expansive control of the environment, saving adversaries a great deal of effort.
• Complex — Because Group Policy is so useful, organizations often create hundreds of GPOs, comprising literally thousands of settings, which can conflict. To understand what policies are actually being applied to a particular user or computer, known as the Resultant Set of Policy (RSoP), IT pros need to understand intricacies like the linking of GPOs to OUs and other containers, precedence rules, and setting resolution — as well as which default behaviors have been overridden in particular cases. Microsoft does offer a snap-in for the Microsoft Management Console (MMC) that will show the effective Group Policy settings applied to a specific user or computer, but examining RSoP in this manner is simply not a scalable approach to Group Policy administration. As a result, many organizations have important security gaps in their Group Policy that they don’t know about.
• Ubiquitous — To minimize the work required to launch new attacks, ransomware gangs develop repeatable playbooks that exploit widely used technologies. Almost every organization today has Active Directory, and every Active Directory installation includes Group Policy; it is an integral feature that cannot be removed. Accordingly, adversaries can confidently build an attack strategy that involves abusing Group Policy.
• Readable by anyone — Group Policy is an open book; by design, every user can see not just the policies that exist, but also where they’re applied and who has access to them. That means a hacker who takes over any user account can see all that information, too. And since IT teams usually pick descriptive names for objects in Active Directory to simplify administration, attackers can easily find the information they need to direct and hone their attacks. Indeed, they even have an open-source tool called BloodHound to help with reconnaissance.
• Often neglected — All too often, Group Policy simply isn’t on an organization’s security strategy radar; it’s treated as a “set it and forget it” technology. Even organizations that perform regular penetration testing often have serious vulnerabilities in their Group Policy. Pen testers often avoid altering Group Policy because they lack the expertise to modify it and the confidence that they can put it back in order after testing is complete. As a result, their reports direct security teams to other areas, leaving Group Policy vulnerabilities ripe for abuse.
• Hard to monitor using native auditing — By default, native Group Policy auditing is not even enabled. Even when it is turned on, it limited information: Administrators can see that a GPO has been changed, but they cannot determine exactly what change was made. Plus, the details are fairly cryptic; for example, the GPO is identified by its GUID, which is not particularly useful. That’s particularly true now that experienced AD pros are retiring in droves and Microsoft has shelved many training tracks for on-prem technologies like Group Policy changes.
• Difficult (and soon to be impossible) to manage using native tools — The core Microsoft tool for administering GPOs is the Microsoft Group Policy Management Console (GPMC). Its administration model requires either granting excessive permissions to select administrators or passing instructions through multiple teams, which increases the risk of security issues and potentially devastating human errors. Remediation for some of these issues is possible using Microsoft Advanced Group Policy Management (AGPM), which provides basic change control and delegation features. Unfortunately, AGPM is part of the Microsoft Desktop Optimization Pack, which has reached end of life; mainstream support ended in 2018 and extended support will end in 2026.

Protecting your Group Policy to thwart cyberattacks

A good way to increase security around Group Policy is to take a defense-in-depth approach that includes the following key components.

Ensure effective management and monitoring of Group Policy.

As we have seen, effective Group Policy management and monitoring can dramatically enhance . A robust Group Policy administration solution should offer all of the following core capabilities:

• GPO cleanup and consolidation — Detailed reports on the current state of your Group Policy can cut through the complexity and provide a clear understanding of your GPOs so you can delete unneeded GPOs, merge redundant or conflicting settings, and reduce risk with a clean Group Policy free of hidden vulnerabilities.
• Administration workflows — Robust version control, approval workflows for changing or creating GPOs, and check-in and check-out processes for GPO editing help thwart adversaries who try to manipulate Group Policy during attacks.
• Secure delegation — Secure delegation eliminates the risks inherent in highly privileged administrative accounts that can manage all GPOs. If you can assign responsibility for specific policies to the right people and grant them a much more limited set of permissions, threat actors who compromise admin credentials are less able to do serious damage.
• Protected settings — It’s essential to be able to lock down critical settings so that they cannot be changed at all, whether accidentally by administrators or maliciously by adversaries.
• Detection and alerting — To catch threats in their early stages, it’s vital to monitor for changes to your GPOs and promptly notify the security team about unexpected and potentially dangerous modifications.
• Easy rollback — To thwart attacks, you need to be able to quickly revert an undesired setting change and jump back to a functional version of the GPO.

Identify, manage and audit all Tier 0 assets.

More broadly, it’s critical to know which GPOs apply to your most critical (Tier 0) assets, such as domain controllers and highly privileged groups like Domain Admins, and protect them appropriately. But most organizations do not even have a solid understanding of what Tier 0 assets they have.

For instance, it’s common for organizations to have a server that synchs the on-premises directory up to the Microsoft cloud. But instead of being kept in the same OU as domain controllers, it’s buried in some OU for generic servers OU. As a result, it has GPOs applied to it that are not in keeping with its level of sensitivity. It’s also exceedingly common for all authenticated users to have rights over at least some GPOs.

Simplify Active Directory GPO management and governance

Secure your Windows infrastructure while supporting governance initiatives with GPOADmin.

Learn More

Accordingly, it’s vital to have a robust security solution that can accurately identify your Tier 0 assets, including critical GPOs. It should also monitor activity across the IT environment and automatically detect anomalies that could indicate a threat in progress, and speed incident response with detailed notifications and integration with SIEM tools.

Enable quick recovery.

Finally, you have to be prepared for disaster. Even if an attack does not target your Group Policy specifically, if Active Directory is wiped out, your GPOs get wiped out with it. Keep in mind that the average downtime due to ransomware is now 21 days — and the average cost of AD downtime is $730,000 per hour.

Simple backups of your data will not help you restore Active Directory and Group Policy; you need an enterprise-quality Active Directory backup and recovery solution that is fully GPO-aware. In addition, make sure the solution:

• Offers multiple recovery methods, including phased recovery, along with options like restoring AD to a clean operating system or a Microsoft Azure virtual machine
• Can scan servers for malware before they are used in recovery
• Provides air-gapped storage to keep backups safe from attackers and ransomware

Conclusion

Group Policy is an extremely powerful component of Active Directory — which makes it a common target of attackers. Given the opportunity, cyber criminals can abuse GPOs to expand the scope of their powers through lateral movement and privilege escalation, deploy and execute malware, and avoid detection and cover their tracks. However, by following Group Policy management best practices and implementing a defense-in-depth approach, organizations can dramatically improve their cybersecurity and cyber resilience.