Affiliates of the LockBit ransomware employ an intriguing ploy to persuade individuals into allowing the malware to infect their devices: they disguise the infection as copyright claims.
The senders of these emails accuse the receivers of using media files without permission and issue a copyright violation warning. These emails threaten legal action against the recipient unless they take down the illegal information from their websites.
The emails, which were discovered by AhnLab analysts in Korea, instruct the receiver to download and open the attached file in order to view the content that is infringing rather than specifying which files were improperly used in the body.
The attachment is a password-protected ZIP package with a compressed file inside of it. This compressed file then contains an executable that seems like a PDF document, but is actually an NSIS installer.
To avoid detection from email security programs, this wrapping and password protection were implemented.
The malware will load and encrypt the device with the LockBit 2.0 ransomware if the user downloads the phony “PDF” to find out what images are being used unlawfully.
Malware and claims of ownership
The use of copyright violation allegations is intriguing, but it is neither new nor exclusive to LockBit members; some malware distribution efforts make use of the same trick.
This kind of email has recently been sent to BleepingComputer in large quantities, and upon closer inspection, we found that it was disseminating the BazarLoader or Bumblebee malware loader.
When you open one of those files on your computer, Bumblebee, which is used to distribute second-stage payloads, including ransomware, may launch swift and devastating attacks.
Publishers of content should take copyright claims seriously, but if the claim is convoluted and instead asks you to open associated files to see the specifics of the violation, it is unlikely to be a legitimate takedown notice.
Top-level LockBit
NCC Group’s “Threat Pulse” report for May 2022, which was released today, states that LockBit 2.0 was responsible for 40% of all (236) ransomware assaults reported in the month.
The renowned ransomware operation had a staggering 95 victims in just May, compared to a combined 65 for Conti, BlackBasta, Hive, and BlackCat.
This builds on the pattern identified by Intel 471, which ranked LockBit 2.0 as the most successful ransomware operation in the fourth quarter of 2021 and further solidifies the group’s status as one of the most pervasive threats.