Posted By jcleebobgatenet , November 28, 2022

LockBit Ransomware Being Mass-distributed With Similar Filenames

The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames. Unlike the previous cases introduced in the blog where Word files or copyright claim emails were used, the recent versions are being distributed through phishing mails disguised as job applications.

LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails (February 2022)
LockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed (June 2022)
NSIS Type LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed (September 2022)
LockBit 3.0 Ransomware Distributed via Word Documents (September 2022)

The compressed file attached to phishing mails is in the format of [Person’s name].zip and contains an additional compressed file inside. The additional compressed file contains LockBit 2.0 disguised as an image file and a normal Excel file. The filename of the distributed ransomware is “(Special character)Resume_221112(I’ll show that I’m a hard worker).exe”. Filenames of LockBit 2.0 ransomware collected and identified through AhnLab’s infrastructure are as follows.

%Resume_221112(I’ll show that I’m a hard worker).exe
&Resume_221112(I’ll show that I’m a hard worker).exe
#1_Resume_221112(I’ll show that I’m a hard worker).exe
$Resume_221112(I’ll show that I’m a hard worker).exe
_Resume_221112(I’ll show that I’m a hard worker).exe
^Resume_221112(I’ll show that I’m a hard worker).exe
@Resume_221112(I’ll show that I’m a hard worker).exe
-Resume_221112(I’ll show that I’m a hard worker).exe
+Resume_221112(I’ll show that I’m a hard worker).exe
‘Resume_221112(I’ll show that I’m a hard worker).exe
2.Resume_221112(I’ll show that I’m a hard worker).exe
;Resume_221112(I’ll show that I’m a hard worker).exe
[Resume_221112(I’ll show that I’m a hard worker).exe

Figure 1. Inside the compressed file

Figure 2. Inside the decompressed folder

Although the V3 Zip file screen shows an EXE executable file icon, the actual folder contains an executable disguised as an image file. When the ransomware is executed, encryption occurs using the format, [Original filename].lockbit, and afterward, the infection screen is displayed with the ransom note, Restore-My-Fils.txt.

Figure 3. When infected with LockBit 2.0

The distribution method of LockBit 3.0 is the same. The collected ransomware was distributed with the filename of “(Special character)Resume_201116(Experience details are included Thank you).exe”. The following shows the types of LockBit 3.0 filenames collected through AhnLab’s infrastructure.

#Resume_201116(Experience details are included Thank you).exe
$Resume_201116(Experience details are included Thank you).exe
%Resume_201116(Experience details are included Thank you).exe
&Resume_201116(Experience details are included Thank you).exe
_Resume_201116(Experience details are included Thank you).exe

LockBit 3.0 is being distributed disguised as HWP files and it is deemed that the partial variations to the filename as shown above are made for mass distribution.

Figure 4. Properties of LockBit 3.0

When the ransomware is executed, encryption is carried out using the filename, [Original File Name].YQ85HpV1.

Figure 5. When infected with LockBit 3.0

Recently, LockBit is being distributed in bulk without restrictions to versions and with similar filenames. Users must check the file extensions of document files, update applications and V3 to the latest version and be particularly cautious about opening files from unknown sources.

[File Detection]