LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Researchers have urged vigilance over compressed attachments sent under false pretenses


Researchers in Korea have identified threat actors targeting companies with emails claiming copyright infringement that contain ransomware.
AhnLab Security Emergency Response Center (ASEC) has collected evidence of emails sent to companies with a password-protected compressed file attached, within which lies Lockbit.20 ransomware disguised with a PDF file icon.
RELATED RESOURCE
Although the research pointed to an active campaign by threat actors within the Republic of Korea, the widespread nature of Lockbit 2.0 means there is real potential that the same methods could soon be used to target firms in Europe and the US.
In recent attacks, emails have been spotted carrying a file that appears to contain the images of licensed content in dispute. Such emails may contain the name of actual artists, to add to their legitimacy, and follow a similar scam in which such files were passed off as resumes.
If the user opens the attached file, which has a PDF file icon disguised as a Lockbit executable, it will execute a series of processes to prevent file recovery and register itself to the system registry to keep itself running continuously. The user will quickly find their open processes terminating, and files changing to become unopenable and bear a red letter ‘B’ icon.
Lockbit 2.0 works to encrypt all data, local or externally connected, that doesn’t pertain to core system functions. Files are also uploaded to a server controlled by the attackers, who then a ransom note in the form of a text file urging the victim to pay them money. Of course, there is no way to guarantee that any deal made with the attackers would be honoured, so this is never an advised route for recovering one's data.
Of all ransomware, Lockbit 2.0 poses one of the greatest specific threats to businesses right now, with cyber security advisor NCC Group advising in a recent blog post that across May, Lockbit 2.0 accounted for 40% of ransomware attacks. The Federal Bureau of Investigation (FBI) also released a report earlier this year detailing the specific risks posed by the threat actor and noted the only targets it does not infect are those using Eastern European languages for their systems.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Smaller businesses are most likely to be affected by this method of attack, as they often lack dedicated legal teams who would be able to identify the legitimacy of the emails. Additionally, employees in smaller businesses are less likely to have received anti-phishing training.
“Lockbit 2.0 has fast cemented its place as the most prolific threat actor of 2022,” stated NCC’s global lead for strategic threat intelligence, Matt Hull.
“It is crucial that businesses familiarise themselves with their tactics, techniques, and procedures. It will give them a better understanding of how to protect against attack and the most appropriate security measures to implement.”

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.
-
Dell Technologies Global Partner Summit 2025 – all the news and updates live from Las Vegas
Keep up to date with all the news and announcements from the annual Dell Technologies Global Partner Summit in Las Vegas
-
Jensen Huang joins Dell Technologies World virtually to talk servers and AI factories
Nvidia CEO virtually joined Michael Dell for the opening keynote of the 2025 conference to talk through a host of AI and server announcements
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the last
News Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to know
News Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticed
News Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the US
News A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field day
News February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.