IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

Researchers have urged vigilance over compressed attachments sent under false pretenses

A digital render of an envelope, floating above blue cubes and the outlines of cubes made of red energy

Researchers in Korea have identified threat actors targeting companies with emails claiming copyright infringement that contain ransomware.

AhnLab Security Emergency Response Center (ASEC) has collected evidence of emails sent to companies with a password-protected compressed file attached, within which lies Lockbit.20 ransomware disguised with a PDF file icon.

Related Resource

The state of email security 2022

Confronting the new wave of cyber attacks

Whitepaper cover with image of a man walking along a beach, with a line graph overlayFree Download

Although the research pointed to an active campaign by threat actors within the Republic of Korea, the widespread nature of Lockbit 2.0 means there is real potential that the same methods could soon be used to target firms in Europe and the US.

In recent attacks, emails have been spotted carrying a file that appears to contain the images of licensed content in dispute. Such emails may contain the name of actual artists, to add to their legitimacy, and follow a similar scam in which such files were passed off as resumes.

If the user opens the attached file, which has a PDF file icon disguised as a Lockbit executable, it will execute a series of processes to prevent file recovery and register itself to the system registry to keep itself running continuously. The user will quickly find their open processes terminating, and files changing to become unopenable and bear a red letter ‘B’ icon.

Lockbit 2.0 works to encrypt all data, local or externally connected, that doesn’t pertain to core system functions. Files are also uploaded to a server controlled by the attackers, who then a ransom note in the form of a text file urging the victim to pay them money. Of course, there is no way to guarantee that any deal made with the attackers would be honoured, so this is never an advised route for recovering one's data.

Of all ransomware, Lockbit 2.0 poses one of the greatest specific threats to businesses right now, with cyber security advisor NCC Group advising in a recent blog post that across May, Lockbit 2.0 accounted for 40% of ransomware attacks. The Federal Bureau of Investigation (FBI) also released a report earlier this year detailing the specific risks posed by the threat actor and noted the only targets it does not infect are those using Eastern European languages for their systems.

Smaller businesses are most likely to be affected by this method of attack, as they often lack dedicated legal teams who would be able to identify the legitimacy of the emails. Additionally, employees in smaller businesses are less likely to have received anti-phishing training.

“Lockbit 2.0 has fast cemented its place as the most prolific threat actor of 2022,” stated NCC’s global lead for strategic threat intelligence, Matt Hull.

“It is crucial that businesses familiarise themselves with their tactics, techniques, and procedures. It will give them a better understanding of how to protect against attack and the most appropriate security measures to implement.”

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Recommended

GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
MSI to release securer BIOS settings after critical flaw discovered
vulnerability

MSI to release securer BIOS settings after critical flaw discovered

20 Jan 2023
China-backed hackers take down Amnesty International Canada for three weeks
Security

China-backed hackers take down Amnesty International Canada for three weeks

7 Dec 2022
'CryWiper' trojan disguises as ransomware, says Kaspersky
malware

'CryWiper' trojan disguises as ransomware, says Kaspersky

2 Dec 2022

Most Popular

The big PSTN switch off: What’s happening between now and 2025?
Sponsored

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Why – and how – IP can be the hero in your digital transformation success story
Sponsored

Why – and how – IP can be the hero in your digital transformation success story

6 Mar 2023
Why Amazon is cutting staff from AWS
Cloud

Why Amazon is cutting staff from AWS

21 Mar 2023