LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails

The ASEC analysis team has recently discovered ransomware that is being distributed emails after disguising itself as resumes or copyright-related claims. The malicious emails with such content have been steadily distributed from the past. Unlike previous emails that distributed Makop ransomware, current cases have LockBit instead.

The emails that are confirmed for the distribution of malware have compressed files with passwords.

Figure 1. Distributed email 1
Figure 2. Distributed email 2

As shown in Figure 1, the compressed file that is attached to the email has two files: ‘You have violated copyright laws and here is the summary of violations.jpg’ and ‘Outline on the original image (the image I created) and the image you are currently using.exe’.

Figure 3. Compressed file

When the file is decompressed, ‘Outline on the original image (the image I created) and the image you are currently using.exe’ shows you the file icon of Microsoft Word to disguise itself as a word document. The jpg file is actually a normal executable with its extension changed to .jpg, so clicking the file will not open an image.

Figure 4. Files found upon decompression

When users run the file ‘Outline on the original image (the image I created) and the image you are currently using.exe’ that is in fact LockBit ransomware, their files will get encrypted. Like previous cases, the file type is NSIS (Nullsoft Scriptable Install System). Its properties are as follows:

Figure 5. Properties of exe file

Upon execution, the ransomware runs the command shown below to delete the volume shadow copy to make it impossible to restore files. It also registers Run Key to registry to make itself run continuously.

  • vssadmin delete shadows /all /quiet
  • wmic shadowcopy delete
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • bcdedit /set {default} recoveryenabled no
Figure 6. Data added to registry

It then terminates multiple services and processes to encrypt document files that are open and avoid detection.

sql, svc$, MSSQL, MSSQL$, CAARCUpdateSvc, vmware-usbarbitator64, vmware-converter, etc.
Table 1. Terminated services

winword.exe, QBDBMgr.exe, 360doctor.exe, Adobe Desktop Service.exe, Autorunsc64a.exe, Sysmon.exe, Sysmon64.exe, procexp64a, procexp64a.exe, procmon.exe, procmon64.exe, procmon64a, procmon64a.exe, Raccine_x86, etc.
Table 2. Terminated processes

The encryption happens after certain services and processes are terminated. If the drive type is DRIVE_REMOVABLE, DRIVE_FIXED, or DRIVE_RAMDISK, it will also be encrypted. Extensions and name of folders files that are excluded from encryption are as follow:

Restore-My-Files.txt, ntldr, bootsect.bak, autorun.inf, ntuser.dat.log
Table 3. Files excluded from encryption

system volume information, windows photo viewer, windowspowershell, internet explorer, windows security, windows defender, $recycle.bin, Mozilla, msbuild, appdata, windows, etc.
Table 4. Folders excluded from encryption

.mp4, .mp3, .reg, .ini, .idx, .cur, .drv, .sys, .ico, .lnk, .dll, .exe, .lock, .lockbit, .sqlite, .accdb, .lzma, .zipx, .7z, .db, etc.
Table 5. Extensions excluded from encryption

Encrypted files have an extension named .lockbit and a certain icon. Also, a ransom note named ‘Restore-My-Files.txt’ is created.

Figure 7. Encrypted files
Figure 8. Ransom note

As shown above, the distribution of ransomware disguised as resumes and copyright-related claims has been continually done from the past. Because emails distributing such malware type may include names of actual illustrators, users may run attached files without realizing. Hence they should take extreme caution.

[File Detection]

  • Ransomware/Win.MAKOP.C4971574
  • Suspicious/Win.MalPe.X2132

[Behavior Detection]

  • Ransom/MDP.Decoy.M1171
Figure 9. Detecting and blocking malicious behavior

[IOC Info]

  • 3ffea798602155f8394e5fb3c7f4a495 (eml)
  • 4b77923447b9a1867080e3abe857e5bd (exe)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
guest
2 Comments
Inline Feedbacks
View all comments
trackback

[…] LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails […]

trackback

[…] The campaign reported by ASEC researchers last week possesses similar characteristics to another campaign from February 2022 that also delivered LockBit ransomware. A Makop campaign also used the theme in […]