Researchers in Korea have identified threat actors targeting companies with emails claiming copyright infringement that contain ransomware.
AhnLab Security Emergency Response Center (ASEC) has collected evidence of emails sent to companies with a password-protected compressed file attached, within which lies Lockbit.20 ransomware disguised with a PDF file icon.
RELATED RESOURCE
Although the research pointed to an active campaign by threat actors within the Republic of Korea, the widespread nature of Lockbit 2.0 means there is real potential that the same methods could soon be used to target firms in Europe and the US.
In recent attacks, emails have been spotted carrying a file that appears to contain the images of licensed content in dispute. Such emails may contain the name of actual artists, to add to their legitimacy, and follow a similar scam in which such files were passed off as resumes.
If the user opens the attached file, which has a PDF file icon disguised as a Lockbit executable, it will execute a series of processes to prevent file recovery and register itself to the system registry to keep itself running continuously. The user will quickly find their open processes terminating, and files changing to become unopenable and bear a red letter ‘B’ icon.
Lockbit 2.0 works to encrypt all data, local or externally connected, that doesn’t pertain to core system functions. Files are also uploaded to a server controlled by the attackers, who then a ransom note in the form of a text file urging the victim to pay them money. Of course, there is no way to guarantee that any deal made with the attackers would be honoured, so this is never an advised route for recovering one's data.
Of all ransomware, Lockbit 2.0 poses one of the greatest specific threats to businesses right now, with cyber security advisor NCC Group advising in a recent blog post that across May, Lockbit 2.0 accounted for 40% of ransomware attacks. The Federal Bureau of Investigation (FBI) also released a report earlier this year detailing the specific risks posed by the threat actor and noted the only targets it does not infect are those using Eastern European languages for their systems.
Smaller businesses are most likely to be affected by this method of attack, as they often lack dedicated legal teams who would be able to identify the legitimacy of the emails. Additionally, employees in smaller businesses are less likely to have received anti-phishing training.
“Lockbit 2.0 has fast cemented its place as the most prolific threat actor of 2022,” stated NCC’s global lead for strategic threat intelligence, Matt Hull.
“It is crucial that businesses familiarise themselves with their tactics, techniques, and procedures. It will give them a better understanding of how to protect against attack and the most appropriate security measures to implement.”
-
The pros and cons of AI coding in ITIn-depth Businesses must weigh up the benefits, challenges, and key considerations when using generative AI coding tools
-
Huawei is supporting businesses when it comes to strategic AI adoptionThe lessons of digital and intelligent transformation, with help from partners like Huawei, can offer a roadmap for how to implement AI
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber professionals are losing sleep over late night attacksNews Hackers are biding their time and launching attacks when businesses can’t respond
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
