LockBit ransomware operators are employing a unique strategy to lure victims into infecting their devices with malware by portraying it as copyright claims.
The ransomware hackers target victims by sending an email regarding a copyright violation for allegedly using media files without the creator’s license. It also urges the victim to remove the content from their websites immediately or face legal action.
The emails, identified by analysts at AhnLab in Korea, do not determine which files were inappropriately employed in the body of the text; rather, they instruct the receiver to download and open the attached file in order to view the infringing content.
The attachment is a ZIP file that has been encrypted with a password and contains a compressed file. The archive contains a compressed file, an executable file posing as a PDF document. The executable is an NSIS installer, loading the LockBit 2.0 ransomware which, in turn, encrypts all of the files on the endpoint.
As BleepingComputer reports, copyright claims are not exactly a novelty when it comes to distributing malware. Earlier this year, there had been “numerous” emails of this sort, distributing the likes of BazarLoader, or the Bumblebee malware loader.
Bumblebee is employed for deploying second-stage payloads, including ransomware, so opening one of those files on your computer may lead to rapid and disastrous assaults.
Copyright claims are a matter that publishers of content should take into serious consideration, but if the claim isn't straightforward but instead requests you to open attached files to view the violation details, it's improbable for it to be a genuine takedown notice.
LockBit 2.0 is by far the most widespread ransomware variant, security analysts from the NCC group have said. Allegedly, LockBit 2.0 accounted for 40% of all ransomware attacks that occurred in May this year. The notorious ransomware operation recorded a whopping 95 victims in May alone, whereas Conti, BlackBasta, Hive, and BlackCat collectively had 65.
To mitigate the risks, multi-factor authentication can be applied across the entire ecosystem in order to provide an additional layer of defense against cyber assaults. Those behind LockBit attacks have also been known to exploit stolen usernames and passwords, so if it's known that a password has been part of a data breach, it should be changed.
