Categories: PhishingRansomware

Hackers Delivered a Lockbit Ransomware Through Fake Copyright Claim E-mail

One of the interesting tricks used by LockBit affiliates is disguising their malware as copyright claims in order to trick users into infecting their devices with ransomware.

There is a copyright violation notice sent through email to these users, apparently containing information that they are using media files without permission from the creators. 

It is because of such emails that recipients are urged to remove content that they consider infringing on their websites.

Technical Analysis

Cybersecurity researchers at South Korean security firm, AhnLab identified the emails, but they were unable to determine which files were being unfairly used in the body of the emails. 

The recipient should instead be asked to open and download the attached file in order to view the content deemed infringing. The email attachment sent by the threat actors is a ZIP archive and this ZIP archive is password protected. 

While this ZIP file contains a compressed file that contains a copy of a PDF document which is actually an NSIS installer that is disguised as a PDF document.

This is done for the purpose of evading detection from email security software, which is why there is mandatory wrapping and password protection.

An encrypted file has an extension called .lockbit and has an icon that indicates its encryption status. Furthermore, the folder with the encrypted files has a ransom note named ‘Restore-My-Files.txt’ created inside of it.

Fake Copyright Claims

It is possible for a victim to view what images are being used illegally by simply opening the document intended to be a PDF attached to the email. If they open it, the malware will be loaded and the LockBit 2.0 ransomware will be used to encrypt the device.

In any case, you need not be surprised by LockBit using copyright violations as a tactic for malware distribution. Since it is a common lure that is used nowadays in several malware distribution campaigns.

Publishers of content should seriously consider this issue of copyright claims if they want to avoid legal issues in the future. 

If the notification doesn’t give you any concrete details about the violation or you are required to open attached files in order to view details in the complaint, then it is unlikely that it is a legitimate notice.

Users may run attached files without realizing they have done it, as e-mails distributing malware types like this may contain the name of the actual illustrator, whose work they are viewing. Therefore, users should be very cautious when they are downloading such attachments.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Cyberattackers Targeting IT Help Desks for Initial Breach

Cybercriminals are increasingly impersonating IT support personnel and trusted authorities to manipulate victims into granting…

51 minutes ago

New Stealthy .NET Malware Hiding Malicious Payloads Within Bitmap Resources

Cybersecurity researchers at Palo Alto Networks' Unit 42 have uncovered a novel obfuscation method employed…

1 hour ago

Hackers Weaponizing Facebook Ads to Deploy Multi-Stage Malware Attacks

A persistent and highly sophisticated malvertising campaign on Facebook has been uncovered by Bitdefender Labs,…

1 hour ago

Threat Actors Target Job Seekers with Three New Unique Adversaries

Netcraft has uncovered a sharp rise in recruitment scams in 2024, driven by three distinct…

1 hour ago

Scattered Spider Malware Targets Klaviyo, HubSpot, and Pure Storage Platforms

Silent Push researchers have identified that the notorious hacker collective Scattered Spider, also known as…

2 hours ago

Chinese Hackers Exploit SAP RCE Vulnerability to Deploy Supershell Backdoors

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual Composer…

4 hours ago