LockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed

The ASEC analysis team has once again discovered the distribution of LockBit ransomware using phishing e-mail, and disguising itself as copyright claims e-mail which was introduced in the previous blog. The filename of the attachment in e-mail had password included, which is similar to that of phishing e-mail distributed last February (see the link below).

Figure 1. E-mail details

As shown in Figure 2, the phishing e-mail has a compressed file as an attachment that contains another compressed file inside.

Figure 2. Inside the compressed file

Upon decompressing the file in the compressed file, an executable disguised using a PDF file icon is found.

Figure 3. Executable disguised as a PDF file

As shown in Figure 4, this file is confirmed to be a NSIS File. Looking into the nsi script detail, it decodes the data file ‘162809383’ and performs malicious behaviors through recursions and injections.

Figure 4. Inside the NSIS file



Figure 5. Part of nsi script

This ransomware prevents recovery by deleting volume shadow copy. Furthermore, to make sure the ransomware runs continuously, it registers Run Key to registry and drops LockBit_Ransomware.hta on the desktop to keep it running even after a desktop change or a reboot.

bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
Table 1. Execution command

Figure 6. Registry registered

It then terminates multiple services and processes to avoid detection of file infection behavior and analysis.

wrapper, vmware-converter, vmware-usbarbitator64, MSSQL, MSSQL$, sql and etc.
Table 2. Terminated services

winword.exe, QBDBMgr.exe, 360doctor.exe, Adobe Desktop Service.exe, Autorunsc64a.exe, Sysmon.exe, Sysmon64.exe, procexp64a, procexp64a.exe, procmon.exe, procmon64.exe, procmon64a, procmon64a.exe, Raccine_x86, ProcessHacker.exe and etc.
Table 3. Terminated processes

The encryption happens after certain services and processes are terminated. If the drive type is DRIVE_REMOVABLE, DRIVE_FIXED, or DRIVE_RAMDISK, it will also be encrypted. Extensions and name of folders or files that are excluded from encryption are as follows:

system volume information, windows photo viewer, windowspowershell, internet explorer, windows security, windows defender, $recycle.bin, Mozilla, msbuild, appdata, windows and etc.
Table 4. Folders excluded from encryption

.mp4 .mp3 .reg .ini .idx .cur .drv .sys .ico .lnk .dll .exe .lock .lockbit .sqlite .accdb .lzma .zipx .7z .db and etc.
Table 5. Extensions excluded from encryption

Encrypted files have an extension named .lockbit and a certain icon. Also, a ransom note named ‘Restore-My-Files.txt’ is created in the encrypted folder.

Figure 7. Ransom note

Figure 8. When infected by ransomware

As shown above, the distribution of ransomware disguised as copyright-related claims has been continually done in the past. Because emails distributing such malware types may include names of actual illustrators, users may run attached files without realizing it. Hence they should take extreme caution.

[File Detection]

Malware/Gen.Reputation.C4312359

[Behavior Detection]

Malware/MDP.SystemManipulation.M1751

Figure 9. Behavior block

[IOC Info]

  • 3a05e519067bea559491f6347dd6d296 (eml)
  • 74a53d9db6b2358d3e5fe3accf0cb738 (exe)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 2 votes
Article Rating
guest

40 Comments
Inline Feedbacks
View all comments
trackback

[…] E-Mails, entdeckt von Analysten bei AhnLabKorea, nicht feststellen, welche Dateien unlauter im Text verwendet wurden, und stattdessen den […]

trackback

[…] correos electrónicos, detectados por analistas en AhnLabCorea, no determine qué archivos se usaron injustamente en el cuerpo y, en su lugar, dígale al […]

trackback

[…] emails, spotted by analysts at AhnLab, Korea, do not determine which files were unfairly used in the body and instead tell the recipient […]

trackback

[…] emails were from AhnLab (via bleeding computer) discovers and informs the operator that allegedly copyrighted content is […]

trackback

[…] infringement. Site operators usually have to follow up on such reports. The emails were from AhnLab (through bleeping computer) discovers and informs the operator that alleged copyrighted content is […]

trackback

[…] emails, spotted by analysts at AhnLab, Korea, do not determine which files were unfairly used in the body and instead tell the recipient […]

trackback

[…] emails, spotted by analysts at AhnLab, Korea, do not determine which files were unfairly used in the body and instead tell the recipient […]

trackback

[…] emails, noticed by analysts at AhnLab, Korea, don’t decide which recordsdata have been unfairly used within the physique and as a […]

trackback

[…] emails, spotted by analysts at AhnLab, Korea, do not determine which files were unfairly used in the body and instead tell the recipient […]

trackback

[…] researchers at South Korean security firm, AhnLab identified the emails, but they were unable to determine which files were being unfairly […]

trackback

[…] researchers at South Korean security firm, AhnLab identified the emails, but they were unable to determine which files were being unfairly […]

trackback

[…] ways of tricking victims into clicking on email attachments that hide malware. One of the latest was discovered by researchers at a South Korean firm called ASEC. A victim received an email alleging their firm has violated another company’s copyright. The […]

trackback

[…] researchers at South Korean safety firm, AhnLab recognized the emails, however they have been unable to find out which recordsdata have […]

trackback

[…] spotted by analysts at AhnLabKorea, do not specify which files have been unfairly used in the body and instead tell the recipient […]

trackback

[…] researchers at South Korean safety agency, AhnLab recognized the emails, however they had been unable to find out which recordsdata had been […]

trackback

[…] ways of tricking victims into clicking on email attachments that hide malware. One of the latest was discovered by researchers at a South Korean firm called ASEC. A victim received an email alleging their firm has violated another company’s copyright. The […]

trackback

[…] ways of tricking victims into clicking on email attachments that hide malware. One of the latest was discovered by researchers at a South Korean firm called ASEC. A victim received an email alleging their firm has violated another company’s copyright. The […]

trackback

[…] Security Emergency Response Center (ASEC) has collected evidence of emails sent to companies with a password-protected compressed file attached, within which lies […]

trackback

[…] emails, spotted by analysts at AhnLab, Korea, do not determine which files were unfairly used in the body and instead tell the recipient […]

trackback

[…] cyber security analysts at AhnLab were the first to reveal the fake emails launched by the LockBit ransomware hacking group. […]

trackback

[…] Security Emergency response Center (ASEC) researchers reported the technical details of an ongoing phishing campaign that uses malicious files disguised as copyright claim documents to deliver the LockBit ransomware. […]

trackback

[…] to a blog post (opens in new tab) from the antivirus company AhnLab which first discovered the campaign, the emails themselves […]

trackback

[…] Blog yazısı (yeni sekmede açılır) itibaren antivirüs Kampanyayı ilk keşfeden AhnLab şirketi için, e-postaların kendileri, hangi […]

trackback

[…] researchers at South Korean security firm, AhnLab identified the emails, but they were unable to determine which files were being unfairly […]

trackback

[…] to a blog post (opens in new tab) from the antivirus company AhnLab which first discovered the campaign, the emails themselves […]

trackback

[…] researchers at South Korean security firm, AhnLab identified the emails, but they were unable to determine which files were being unfairly […]

trackback

[…] South Korean cybersecurity agency AhnLab reported final week that the LockBit ransomware has been distributed by way of malicious emails claiming to ship copyright claims. […]

trackback

[…] South Korean cybersecurity firm AhnLab reported last week that the LockBit ransomware has been distributed via malicious emails claiming to deliver copyright claims. […]

trackback

[…] Security Emergency Response Center (ASEC) has collected evidence of e-mails sent to companies with a password-protected compressed file attached, within which lies […]

trackback

[…] Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed […]

trackback

[…] Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed […]

trackback

[…] emails, spotted by analysts at AhnLab, Korea, do not determine which files were unfairly used in the body and instead tell the recipient […]

trackback

[…] อ้างอิง2: https://asec.ahnlab.com/en/35822/  […]

trackback

[…] Fake copyright infringement emails install LockBit ransomware […]

trackback

[…] researchers at South Korean security firm, AhnLab identified the emails, but they were unable to determine which files were being unfairly […]

trackback

[…] and before that attempting to install the IceID information-stealing trojan. But according to security researchers at South Korean security vendor AhnLab, it’s LockBit ransomware’s […]

trackback

[…] The June 2022 LockBit Campaign […]

trackback

[…] LockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed (Posted in June 2022) […]