Categories: InfoSec News Trending

Fake copyright infringement emails install LockBit ransomware

Published by
RiSec.Mitch

LockBit ransomware affiliates are using an interesting trick to get people into infecting their devices by disguising their malware as copyright claims.

The recipients of these emails are warned about a copyright violation, allegedly having used media files without the creator’s license. These emails demand that the recipient remove the infringing content from their websites, or they will face legal action, reports BleepingComputer Reports

The emails, spotted by analysts at AhnLab, Korea, do not determine which files were unfairly used in the body and instead tell the recipient to download and open the attached file to see the infringement content.

Phishing email used in Korean campaign (ASEC)

The attachment is a password-protected ZIP archive containing a compressed file, which in turn has an executable disguised as a PDF document, but in reality, is an NSIS installer.

The reason for this wrapping and password protection is to evade detection from email security tools.

If the victim opens the supposed “PDF” to learn what images are being used illegally, the malware will load and encrypt the device with the LockBit 2.0 ransomware.

Copyright claims and malware

While the use of copyright violation claims is interesting, it’s neither novel nor exclusive to LockBit members, as many malware distribution campaigns use the same lure.

BleepingComputer has recently received numerous emails of this sort, which upon further analysis, we discovered were distributing BazarLoader or the Bumblebee malware loader.

Phishing email using copyright violation lure to push malware
Source: BleepingComputer

Bumblebee is used for delivering second-stage payloads, including ransomware, so opening one of those files on your computer may lead to rapid and catastrophic attacks.

Copyright claims are a matter that publishers of content should take into serious consideration, but if the claim isn’t straightforward but instead requests you to open attached files to view the violation details, it’s improbable for it to be a genuine takedown notice.

LockBit at the top

According to NCC Group’s “Threat Pulse” report for May 2022, published today, LockBit 2.0 accounted for 40% of all (236) ransomware attacks reported in the month.

Victims listed by each ransomware operation in May 2022 (NCC Group)

The notorious ransomware operation recorded a whopping 95 victims in May alone, whereas Conti, BlackBasta, Hive, and BlackCat collectively had 65.

This continues the trend seen by Intel 471, which put LockBit 2.0 at the top of the most prolific ransomware operations in Q4 2021, and further cemented the group as one of the most widespread threats.

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmark Close
Social Comments Box
Share the word, let's increase Cybersecurity Awareness as we know it

This post was last modified on 27 June 2022 2:55 PM

RiSec.Mitch

Just your average information security researcher from Delaware US.

Leave a Comment
Published by
RiSec.Mitch
Tags: cybersecurity LockBit ransomware warning

Recent Posts

  • Data Breach News
  • InfoSec News

WH Smith Announces Cyber-Attack: Employee Data Stolen

British high street chain WH Smith has recently revealed that it was hit by a…

2 years ago
  • InfoSec News
  • World Affairs

Voice ID: How Secure is it Really?

As banks worldwide roll out Voice ID as a means of user authentication over the…

2 years ago
  • Cybersecurity Academy
  • InfoSec News

What distinguishes Application Security from API Security?

In the era of digital transformation, cybersecurity has become a major concern for businesses. When…

2 years ago
  • Cybersecurity Academy
  • InfoSec News

The Top 5 Cybersecurity threats facing Businesses Today

In today's digital age, cybersecurity threats have become a significant concern for businesses of all…

2 years ago
  • InfoSec News
  • World Affairs

Enterprise users infected by RIG Exploit Kit thanks to Internet Explorer

The RIG Exploit Kit is currently in the midst of its most productive phase, attempting…

2 years ago
  • Cybersecurity Academy

The Rise and Rise of AI

One of the most transformational technologies of our time, artificial intelligence (AI), has quickly come…

2 years ago