LockBit 2.0 ransomware disguised as PDFs distributed in e-mail attacks

Researchers have urged vigilance over compressed attachments sent under false pretenses
Image: Getty via Dennis

28 June 2022

Researchers in Korea have identified threat actors targeting companies with e-mails claiming copyright infringement that contain ransomware.

AhnLab Security Emergency Response Center (ASEC) has collected evidence of e-mails sent to companies with a password-protected compressed file attached, within which lies Lockbit 2.0 ransomware disguised with a PDF file icon.

Although the research pointed to an active campaign by threat actors within the Republic of Korea, the widespread nature of Lockbit 2.0 means there is real potential that the same methods could soon be used to target firms in Europe and the US.




In recent attacks, e-mails have been spotted carrying a file that appears to contain the images of licensed content in dispute. Such e-mails may contain the name of actual artists, to add to their legitimacy, and follow a similar scam in which such files were passed off as resumes.

If the user opens the attached file, which has a PDF file icon disguised as a Lockbit executable, it will execute a series of processes to prevent file recovery and register itself to the system registry to keep itself running continuously. The user will quickly find their open processes terminating, and files changing to become unopenable and bear a red letter ‘B’ icon.

Lockbit 2.0 works to encrypt all data, local or externally connected, that doesn’t pertain to core system functions. Files are also uploaded to a server controlled by the attackers, who then send a ransom note in the form of a text file urging the victim to pay them money. Of course, there is no way to guarantee that any deal made with the attackers would be honoured, so this is never an advised route for recovering one’s data.

Of all ransomware, Lockbit 2.0 poses one of the greatest specific threats to businesses right now, with cyber security advisor NCC Group advising in a recent blog post that across May, Lockbit 2.0 accounted for 40% of ransomware attacks. The Federal Bureau of Investigation (FBI) also released a report earlier this year detailing the specific risks posed by the threat actor and noted the only targets it does not infect are those using Eastern European languages for their systems.

Smaller businesses are most likely to be affected by this method of attack, as they often lack dedicated legal teams who would be able to identify the legitimacy of the emails. Additionally, employees in smaller businesses are less likely to have received anti-phishing training.

“Lockbit 2.0 has fast cemented its place as the most prolific threat actor of 2022,” stated NCC’s global lead for strategic threat intelligence, Matt Hull.

“It is crucial that businesses familiarise themselves with their tactics, techniques, and procedures. It will give them a better understanding of how to protect against attack and the most appropriate security measures to implement.”

© Dennis Publishing

Read More:

Comments are closed.

Back to Top ↑