LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails

The ASEC analysis team has recently discovered ransomware that is being distributed emails after disguising itself as resumes or copyright-related claims. The malicious emails with such content have been steadily distributed from the past. Unlike previous emails that distributed Makop ransomware, current cases have LockBit instead.

• Makop Ransomware Distributed As Copyright Violation Related Materials
• Makop Ransomware Disguised as Resume Being Distributed in Korea

The emails that are confirmed for the distribution of malware have compressed files with passwords.

As shown in Figure 1, the compressed file that is attached to the email has two files: ‘You have violated copyright laws and here is the summary of violations.jpg’ and ‘Outline on the original image (the image I created) and the image you are currently using.exe’.

When the file is decompressed, ‘Outline on the original image (the image I created) and the image you are currently using.exe’ shows you the file icon of Microsoft Word to disguise itself as a word document. The jpg file is actually a normal executable with its extension changed to .jpg, so clicking the file will not open an image.

When users run the file ‘Outline on the original image (the image I created) and the image you are currently using.exe’ that is in fact LockBit ransomware, their files will get encrypted. Like previous cases, the file type is NSIS (Nullsoft Scriptable Install System). Its properties are as follows:

Upon execution, the ransomware runs the command shown below to delete the volume shadow copy to make it impossible to restore files. It also registers Run Key to registry to make itself run continuously.

• vssadmin delete shadows /all /quiet
• wmic shadowcopy delete
• bcdedit /set {default} bootstatuspolicy ignoreallfailures
• bcdedit /set {default} recoveryenabled no

It then terminates multiple services and processes to encrypt document files that are open and avoid detection.

The encryption happens after certain services and processes are terminated. If the drive type is DRIVE_REMOVABLE, DRIVE_FIXED, or DRIVE_RAMDISK, it will also be encrypted. Extensions and name of folders files that are excluded from encryption are as follow:

Encrypted files have an extension named .lockbit and a certain icon. Also, a ransom note named ‘Restore-My-Files.txt’ is created.

As shown above, the distribution of ransomware disguised as resumes and copyright-related claims has been continually done from the past. Because emails distributing such malware type may include names of actual illustrators, users may run attached files without realizing. Hence they should take extreme caution.

[File Detection]

• Ransomware/Win.MAKOP.C4971574
• Suspicious/Win.MalPe.X2132

[Behavior Detection]

• Ransom/MDP.Decoy.M1171

[IOC Info]

• 3ffea798602155f8394e5fb3c7f4a495 (eml)
• 4b77923447b9a1867080e3abe857e5bd (exe)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.