Fraudulent Copyright Themed Emails From LockBit Ransomware Identified

Industry: N/A | Level: Tactical | Source: ASEC

Research from ASEC analysis team identified LockBit ransomware infecting victims through emails, warning the recipient of copyright infringement. The phishing emails contain a compressed file with an NSIS script file disguised as a PDF document. Upon execution of the file, persistence is established from the LockBit ransomware hta file by registering itself in the run key and tampering with system recovery by deleting shadow copies and terminating services. Analysis from ASEC discovered infection commences when desired services are stopped, "The encryption happens after certain services and processes are terminated. If the drive type is DRIVE_REMOVABLE, DRIVE_FIXED, or DRIVE_RAMDISK, it will also be encrypted."

Anvilogic Scenario:

• LockBit - Script File Creating Persistence and Tampers with Sys

Anvilogic Use Cases:

• Compressed File Execution
• New AutoRun Registry Key
• Service Stop Commands
• Inhibit System Recovery Commands