The ASEC analysis team has recently discovered ransomware that is being distributed emails after disguising itself as resumes or copyright-related claims. The malicious emails with such content have been steadily distributed from the past. Unlike previous emails that distributed Makop ransomware, current cases have LockBit instead.
- Makop Ransomware Distributed As Copyright Violation Related Materials
- Makop Ransomware Disguised as Resume Being Distributed in Korea
The emails that are confirmed for the distribution of malware have compressed files with passwords.
Figure 1. Distributed email 1
Figure 2. Distributed email 2As shown in Figure 1, the compressed file that is attached to the email has two files: ‘You have violated copyright laws and here is the summary of violations.jpg’ and ‘Outline on the original image (the image I created) and the image you are currently using.exe’.
Figure 3. Compressed fileWhen the file is decompressed, ‘Outline on the original image (the image I created) and the image you are currently using.exe’ shows you the file icon of Microsoft Word to disguise itself as a word document. The jpg file is actually a normal executable with its extension changed to .jpg, so clicking the file will not open an image.
Figure 4. Files found upon decompressionWhen users run the file ‘Outline on the original image (the image I created) and the image you are currently using.exe’ that is in fact LockBit ransomware, their files will get encrypted. Like previous cases, the file type is NSIS (Nullsoft Scriptable Install System). Its properties are as follows:
Figure 5. Properties of exe fileUpon execution, the ransomware runs the command shown below to delete the volume shadow copy to make it impossible to restore files. It also registers Run Key to registry to make itself run continuously.
- vssadmin delete shadows /all /quiet
- wmic shadowcopy delete
- bcdedit /set {default} bootstatuspolicy ignoreallfailures
- bcdedit /set {default} recoveryenabled no
Figure 6. Data added to registryIt then terminates multiple services and processes to encrypt document files that are open and avoid detection.
| sql, svc$, MSSQL, MSSQL$, CAARCUpdateSvc, vmware-usbarbitator64, vmware-converter, etc. |
| winword.exe, QBDBMgr.exe, 360doctor.exe, Adobe Desktop Service.exe, Autorunsc64a.exe, Sysmon.exe, Sysmon64.exe, procexp64a, procexp64a.exe, procmon.exe, procmon64.exe, procmon64a, procmon64a.exe, Raccine_x86, etc. |
The encryption happens after certain services and processes are terminated. If the drive type is DRIVE_REMOVABLE, DRIVE_FIXED, or DRIVE_RAMDISK, it will also be encrypted. Extensions and name of folders files that are excluded from encryption are as follow:
| Restore-My-Files.txt, ntldr, bootsect.bak, autorun.inf, ntuser.dat.log |
| system volume information, windows photo viewer, windowspowershell, internet explorer, windows security, windows defender, $recycle.bin, Mozilla, msbuild, appdata, windows, etc. |
| .mp4, .mp3, .reg, .ini, .idx, .cur, .drv, .sys, .ico, .lnk, .dll, .exe, .lock, .lockbit, .sqlite, .accdb, .lzma, .zipx, .7z, .db, etc. |
Encrypted files have an extension named .lockbit and a certain icon. Also, a ransom note named ‘Restore-My-Files.txt’ is created.
Figure 7. Encrypted files
Figure 8. Ransom noteAs shown above, the distribution of ransomware disguised as resumes and copyright-related claims has been continually done from the past. Because emails distributing such malware type may include names of actual illustrators, users may run attached files without realizing. Hence they should take extreme caution.
[File Detection]
- Ransomware/Win.MAKOP.C4971574
- Suspicious/Win.MalPe.X2132
[Behavior Detection]
- Ransom/MDP.Decoy.M1171
Figure 9. Detecting and blocking malicious behavior[IOC Info]
- 3ffea798602155f8394e5fb3c7f4a495 (eml)
- 4b77923447b9a1867080e3abe857e5bd (exe)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails appeared first on ASEC BLOG.
Article Link: LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails - ASEC BLOG