LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails
The ASEC analysis team has recently discovered ransomware that is being distributed emails after disguising itself as resumes or copyright-related claims. The malicious emails with such content have been steadily distributed from the past. Unlike previous emails that distributed Makop ransomware, current cases have LockBit instead.
- Makop Ransomware Distributed As Copyright Violation Related Materials
- Makop Ransomware Disguised as Resume Being Distributed in Korea
The emails that are confirmed for the distribution of malware have compressed files with passwords.
Figure 1. Distributed email 1
Figure 2. Distributed email 2
As shown in Figure 1, the compressed file that is attached to the email has two files: ‘You have violated copyright laws and here is the summary of violations.jpg’ and ‘Outline on the original image (the image I created) and the image you are currently using.exe’.
Figure 3. Compressed file
When the file is decompressed, ‘Outline on the original image (the image I created) and the image you are currently using.exe’ shows you the file icon of Microsoft Word to disguise itself as a word document. The jpg file is actually a normal executable with its extension changed to .jpg, so clicking the file will not open an image.
Figure 4. Files found upon decompression
When users run the file ‘Outline on the original image (the image I created) and the image you are currently using.exe’ that is in fact LockBit ransomware, their files will get encrypted. Like previous cases, the file type is NSIS (Nullsoft Scriptable Install System). Its properties are as follows:
Figure 5. Properties of exe file
Upon execution, the ransomware runs the command shown below to delete the volume shadow copy to make it impossible to restore files. It also registers Run Key to registry to make itself run continuously.
- vssadmin delete shadows /all /quiet
- wmic shadowcopy delete
- bcdedit /set {default} bootstatuspolicy ignoreallfailures
- bcdedit /set {default} recoveryenabled no
Figure 6. Data added to registry
It then terminates multiple services and processes to encrypt document files that are open and avoid detection.
| sql, svc$, MSSQL, MSSQL$, CAARCUpdateSvc, vmware-usbarbitator64, vmware-converter, etc. |
Table 1. Terminated services
| winword.exe, QBDBMgr.exe, 360doctor.exe, Adobe Desktop Service.exe, Autorunsc64a.exe, Sysmon.exe, Sysmon64.exe, procexp64a, procexp64a.exe, procmon.exe, procmon64.exe, procmon64a, procmon64a.exe, Raccine_x86, etc. |
Table 2. Terminated processes
The encryption happens after certain services and processes are terminated. If the drive type is DRIVE_REMOVABLE, DRIVE_FIXED, or DRIVE_RAMDISK, it will also be encrypted. Extensions and name of folders files that are excluded from encryption are as follow:
| Restore-My-Files.txt, ntldr, bootsect.bak, autorun.inf, ntuser.dat.log |
Table 3. Files excluded from encryption
| system volume information, windows photo viewer, windowspowershell, internet explorer, windows security, windows defender, $recycle.bin, Mozilla, msbuild, appdata, windows, etc. |
Table 4. Folders excluded from encryption
| .mp4, .mp3, .reg, .ini, .idx, .cur, .drv, .sys, .ico, .lnk, .dll, .exe, .lock, .lockbit, .sqlite, .accdb, .lzma, .zipx, .7z, .db, etc. |
Table 5. Extensions excluded from encryption
Encrypted files have an extension named .lockbit and a certain icon. Also, a ransom note named ‘Restore-My-Files.txt’ is created.
Figure 7. Encrypted files
Figure 8. Ransom note
As shown above, the distribution of ransomware disguised as resumes and copyright-related claims has been continually done from the past. Because emails distributing such malware type may include names of actual illustrators, users may run attached files without realizing. Hence they should take extreme caution.
[File Detection]
- Ransomware/Win.MAKOP.C4971574
- Suspicious/Win.MalPe.X2132
[Behavior Detection]
- Ransom/MDP.Decoy.M1171
Figure 9. Detecting and blocking malicious behavior
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
