LockBit ransomware

Fake copyright emails install LockBit ransomware – BleepingComputer

LockBit ransomware

LockBit ransomware affiliates use an interesting trick to trick people into infecting their devices by disguising their malware in copyright claims.

Recipients of these emails have been warned of copyright infringement because they allegedly used media files without a copyright license. These emails require recipients to remove copyrighted content from their websites or face legal action.

Emails, spotted by analysts at AhnLabKorea, do not specify which files have been unfairly used in the body and instead tell the recipient to download and open the attached file to see the contents of the violation.

Identity theft email used in the Korean campaign
Identity theft email used in the Korean campaign (ASEC)

An attachment is a password-protected ZIP archive that contains a compressed file, which in turn has an executable file disguised as a PDF document, but is in reality an NSIS installer.

The reason for this wrapping and password protection is to avoid detection by email security tools.

If the victim opens the alleged “PDF” to find out which images are being used illegally, the malware will load and encrypt the device with LockBit 2.0 ransomware.

Copyright and malware lawsuits

While the use of copyright infringement claims is interesting, it is neither new nor exclusive to LockBit members, as many malware distribution campaigns use the same bait.

BleepingComputer recently received a number of emails of this type, which we found by further analysis to be BazarLoader distribution or Bumblebee malware loader.

Phishing email that uses copyright claims to promote malware
Email for identity theft using copyright infringement bait to promote malware
Source: BleepingComputer

Bumblebee is used to deliver second-stage cargo, including ransomware, so opening one of these files on your computer can lead to quick and catastrophic attacks.

Copyright lawsuits are a matter that content publishers should seriously consider, but if the request isn’t simple, but requires you to open the attached files to see the details of the infringement, it’s unlikely that it’s a real notice of removal.

LockBit on top

According to the NCC Group Pulse Threat Report. for May 2022, released today, LockBit 2.0 accounted for 40% of all (236) ransomware attacks reported in the month.

Victims listed after each ransomware operation in May 2022
Victims listed after each ransomware operation in May 2022 (NCC group)

The infamous ransomware operation recorded an incredible 95 casualties in May alone, while Conti, BlackBast, Hive and BlackCat together had 65.

This continues the trend seen by Intel 471, which put LockBit 2.0 at the top of the most prolific ransomware operations in the fourth quarter of 2021and further strengthen the group as one of the most widespread threats.

#Fake #copyright #emails #install #LockBit #ransomware #BleepingComputer

Leave a Comment

Your email address will not be published.