Affiliates of the LockBit ransomware employ an intriguing ploy to persuade individuals into allowing the malware to infect their devices: they disguise the infection as copyright claims. The senders of these emails accuse the receivers of using media files without permission and issue a copyright infringement warning. These emails threaten legal action against the receiver unless they take down the illegal information from their websites.
The emails, which were discovered by AhnLab analysts in Korea, instruct the receiver to download and open the attached file to view the material that is infringing rather than specifying which files were improperly employed in the body. The attachment is a password-protected ZIP package with a compressed file inside it. This compressed file then contains an executable that seems like a PDF document but is actually an NSIS installation.
This wrapper and password protection was used to avoid being seen by email security programs. The malware will run and encrypt the device with the LockBit 2.0 ransomware if the user downloads the phony “PDF” to find out what photos are being used unlawfully. The use of copyright violation allegations is intriguing, but it is not new nor exclusive to LockBit members; several malware distribution efforts make use of the same trick.
Further investigation revealed that many of these emails were disseminating BazarLoader or the Bumblebee malware loader. Opening one of those files on your computer might result in swift and devastating attacks because Bumblebee is used to distribute second-stage payloads, such as ransomware. Publishers of material should take copyright claims seriously. Still, if the assertion is convoluted and asks you to open associated files to see the specifics of the violation, it is unlikely to be a legitimate takedown notice.
LockBit 2.0 was responsible for 40% of all (236) ransomware attacks detected in the month, according to NCC Group’s “Threat Pulse” report for May 2022, which was released recently. The renowned ransomware operation had a staggering 95 victims in May, compared to a combined 65 for Conti, BlackBasta, Hive, and BlackCat. This builds on the pattern identified by Intel 471, which ranked LockBit 2.0 as the most successful ransomware operation in the fourth quarter of 2021 and further solidified the group’s status as one of the most pervasive threats.