LockBit ransomware is now masking itself as a copyright infringement notice.
The malware victims have complained about receiving emails containing malware spoofing copyright claims.
The people who receive these emails are being warned about a possible breach of copyright for allegedly using media files without the permission of the original creator.
The recipients of these emails are threatened with legal action if they do not remove the content that is considered to be infringing from their websites.
LockBit Ransomware Recent Attack
Affiliates of the LockBit ransomware are employing a clever strategy to trick people into infecting their devices with malware by disguising it as copyright claims. This tactic can also be considered orm of social engineering.
The emails, which were discovered by researchers at ASEC AhnLab in Korea, do not identify which files weras e inappropriately used in the body of the message; rather, they instruct the recipient to download and open the attached file in order to view the infringing material.
Although the use of copyright infringement violation claims is interesting, LockBit ransomware is not the only malicious threat group to have used this type of tactic on their victims.
How LockBit Ransomware Operates
LockBit's newest ransomware tactic was first detected by ASEC researchers. It has been reported that the ransomware disguises itself as a copyright infringement and phishing email.
According to ASEC, "The phishing e-mail has a compressed file as an attachment that contains another compressed file inside. Upon decompressing the file in the compressed file, an executable disguised using a PDF file icon is found."
It has been established that this particular file is an NSIS file. If a closer look is conducted at the details of the nsi script, it can be seen that it decodes the data file with the number "162809383" and engages in malicious behavior by recursion and injecting code.
By removing the volume shadow copies, this ransomware makes data recovery impossible.
Additionally, in order to ensure that the ransomware runs steadily, it drops a file called LockBit Ransomware.hta on the desktop and registers Run Key in the registry. This ensures that the ransomware will continue to run even if the desktop is changed or the computer is rebooted.
After that, it kills multiple services and processes in order to prevent the behavior and analysis of file infections from being detected.
Along with its report, BleepingComputer stated, "Copyright claims are a matter that publishers of content should take into serious consideration, but if the claim isn't straightforward but instead requests you to open attached files to view the violation details, it's improbable for it to be a genuine takedown notice."
What is LockBit Ransomware?
LockBit ransomware has been operational for the past few years and has breached a numerous number of systems.
As reported by Kaspersky, the LockBit ransomware is a type of malicious software that works to block users' access to a device in exchange for a ransom payment.
This ransomware is formerly known as the "ABCD" ransomware, which scans for valuable targets, spreads infection fast across a network, and encrypts any and all accessible computer systems on the network.
Globally, the threat actors behind LockBit operate globally in forms such as extortion, data theft, illegal publication of information, and operation disruptions.
The actors have targeted businesses and organizations from different parts of the world such as Ukraine, United States, China, France, India, UK, and many more.
According to the NCC Group's Threat Pulse report, LockBit 2.0 was responsible for 40% of the 236 ransomware attacks that were reported during the month.