{
	"id": "7c0fd472-e223-493f-ab5c-ce5523839b39",
	"created_at": "2026-04-06T00:11:22.611406Z",
	"updated_at": "2026-04-10T03:21:43.114821Z",
	"deleted_at": null,
	"sha1_hash": "2bd02d418966a9254166fa6baeb4f964054d90ad",
	"title": "Continuous Distribution of LockBit 2.0 Ransomware Disguised as Resumes - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1413244,
	"plain_text": "Continuous Distribution of LockBit 2.0 Ransomware Disguised as\r\nResumes - ASEC\r\nBy ATCP\r\nPublished: 2023-02-02 · Archived: 2026-04-05 15:43:21 UTC\r\nThe ASEC analysis team has identified that Lockbit 2.0 is being distributed in a MalPE format instead of the NSIS\r\nformat which the team had introduced it with previously. The MalPE format is a type of packing method that\r\ndisrupts the analysis of the actual malware. It then decrypts and executies its PE files through an internal shell\r\ncode.\r\nWe have recently discovered during our monitoring of ransomware that the distribution of LockBit has risen since\r\nJanuary. As it was introduced before, LockBit is still being distributed with filenames that make them seem like\r\njob applications. Newly discovered filenames, as well as the existing ones, are as follows.\r\n_Resume_220926 (Experience details are included Thank you).exe\r\n#Resume_221116 (Experience details are included Thank you).exe\r\n(Resume_221112 (I’ll show that I’m a hard worker).exe\r\n221208_Resume (I’ll do my best I will be in your case Thank you).exe\r\n~Resume_230116.exe\r\n$Resume_230108.exe\r\nRe_su_me [230124 (Experience details are included Thank you].exe\r\nhttps://asec.ahnlab.com/en/47739/\r\nPage 1 of 4\n\n[Re_su_me] 230130 Please note that my experience details are also included.exe\r\nThe Lockbit 2.0 ransomware distributed with its filename as “Re_su_me [230124 (Experience details are included\r\nThank you].exe” is in a MalPE format that has a specific string in the resource area as shown in Figure 1. General\r\nMalPE format malware cases have the characteristic of being distributed with identical icons, but the Lockbit 2.0\r\nransomware is being distributed with its icon changed to that of Hangul, reflecting its disguise as a resume.\r\nSimilar to the typical MalPE packing method, this malware decodes and executes the shellcode and PE data.\r\nhttps://asec.ahnlab.com/en/47739/\r\nPage 2 of 4\n\nAs seen in the previous blog post, the executed ransomware deletes copies of the volume shadow, registers run\r\nkeys, and shuts down services and processes to evade file infection and analysis; while doing so, this ransomware\r\nalso deletes event logs, which is a behavior that has never been introduced.\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nbcdedit /set {default} recoveryenabled no\r\nvssadmin delete shadows /all /quiet\r\nwmic shadowcopy delete\r\nwevutil cl application\r\nwevutil cl system\r\nTable 1. Execution command\r\nAfterward, it encrypts user system files. Encrypted files are made to have the same .lockbit extension and icon.\r\nThe command also generates a ransom note with the filename, “Restore-My-Files.txt”, before changing the\r\nwallpaper.\r\nThe MalPE format malware that is being distributed has recently been targeting companies with emails disguised\r\nas job applications. Not only is it spreading LockBit through this method, but all sorts of other malware as well.\r\nTherefore, companies must update their anti-malware software to the latest versions, and users must take extra\r\ncaution. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:\r\n[File Detection]\r\nTrojan/Win.Generic.R553808 (2023.01.25.03)\r\nRansomware/Win.LockBit.R487041 (2022.04.22.01)\r\nhttps://asec.ahnlab.com/en/47739/\r\nPage 3 of 4\n\n[Behavior Detection]\r\nRansomware/MDP.Command.M1751\r\nMD5\r\n6a98b2b6e37c7c92368548e902e9a139\r\ncfbc3e71c945dd9918f0013acb652cbd\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/47739/\r\nhttps://asec.ahnlab.com/en/47739/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/47739/"
	],
	"report_names": [
		"47739"
	],
	"threat_actors": [],
	"ts_created_at": 1775434282,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2bd02d418966a9254166fa6baeb4f964054d90ad.pdf",
		"text": "https://archive.orkl.eu/2bd02d418966a9254166fa6baeb4f964054d90ad.txt",
		"img": "https://archive.orkl.eu/2bd02d418966a9254166fa6baeb4f964054d90ad.jpg"
	}
}