Fraudulent Copyright Themed Emails From LockBit Ransomware Identified

Research from ASEC analysis team identified LockBit ransomware infecting victims through emails, warning the recipient of copyright infringement. The phishing emails contain a compressed file with an NSIS script file disguised as a PDF document. Upon execution of the file, persistence is established from the LockBit ransomware hta file by registering itself in the run key and tampering with system recovery by deleting shadow copies and terminating services. Analysis from ASEC discovered infection commences when desired services are stopped, "The encryption happens after certain services and processes are terminated. If the drive type is DRIVE_REMOVABLE, DRIVE_FIXED, or DRIVE_RAMDISK, it will also be encrypted."

‍