{
	"id": "a796beef-18d4-457a-b547-92625e3dd8ab",
	"created_at": "2026-04-06T00:06:53.611785Z",
	"updated_at": "2026-04-10T13:11:37.381872Z",
	"deleted_at": null,
	"sha1_hash": "5f3bc34c388d0fcb055bb3b8b607c713cac5153e",
	"title": "Spain warns of LockBit Locker ransomware phishing attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4306929,
	"plain_text": "Spain warns of LockBit Locker ransomware phishing attacks\r\nBy Bill Toulas\r\nPublished: 2023-08-28 · Archived: 2026-04-05 15:27:31 UTC\r\nThe National Police of Spain is warning of an ongoing 'LockBit Locker' ransomware campaign targeting architecture\r\ncompanies in the country through phishing emails.\r\n\"A wave of sending emails to architecture companies has been detected, although it is not ruled out that they extend their\r\naction to other sectors,\" reads the machine-translated police announcement.\r\n\"The detected campaign has a very high level of sophistication since the victims do not suspect anything until they suffer the\r\nencryption of the terminals.\"\r\nhttps://www.bleepingcomputer.com/news/security/spain-warns-of-lockbit-locker-ransomware-phishing-attacks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/spain-warns-of-lockbit-locker-ransomware-phishing-attacks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nSpain's cyber police have detected that many emails are sent from the non-existent domain \"fotoprix.eu\" and impersonate a\r\nphotographic firm.\r\nThe threat actors pretend to be a newly launched photography store requesting a facility renovation/development plan and a\r\ncost estimate for the work from the architecture firm.\r\nAfter exchanging several emails to build trust, the LockBit operators propose to specify a meeting date to discuss the budget\r\nand details of the building project and send an archive with documents on the exact specifications of the renovation.\r\nWhile the Spanish polish does not provide much technical detail, in a sample seen by BleepingComputer, this archive is a\r\ndisk image (.img) file that, when opened in newer versions of Windows, will automatically mount the file as a drive letter\r\nand display its contents.\r\nThese archives contain a folder named 'fotoprix' that includes numerous Python files, batch files, and executables. The\r\narchive also contains a Windows shortcut named 'Caracteristicas,' that, when launched, will execute a malicious Python\r\nscript.\r\nIMG file contents\r\nSource: BleepingComputer\r\nBleepingComputer's analysis shows that the executed Python script will check if the user is an admin of the device, and if\r\nso, make modifications to the system for persistence and then executes the 'LockBit Locker' ransomware to encrypt files.\r\nMalicious Python script\r\nSource: BleepingComputer\r\nIf the Windows user is not an admin on the device, it will use the Fodhelper UAC bypass to launch the ransomware\r\nencryptor with admin privileges.\r\nhttps://www.bleepingcomputer.com/news/security/spain-warns-of-lockbit-locker-ransomware-phishing-attacks/\r\nPage 3 of 5\n\nThe Spanish police underline the \"very high level of sophistication\" of these attacks, particularly noting the consistency of\r\nthe communications that convince victims they interact with individuals genuinely interested in discussing architectural\r\nproject details.\r\nWhile the ransomware gang claims to be affiliated with the notorious LockBit ransomware operation, BleepingComputer\r\nbelieves this campaign is conducted by different threat actors using the leaked LockBit 3.0 ransomware builder.\r\nThe regular LockBit operation negotiates through a Tor negotiation site, while this 'LockBit Locker' negotiates via email at\r\n'lockspain@onionmail.org' or via the Tox messaging platform.\r\nLockBit Locker ransom note\r\nSource: BleepingComputer\r\nFurthermore, automated analysis by Intezer's scanning engine identifies the ransomware executable as being BlackMatter, a\r\nransomware operation that shut down in 2021 and later rebranded as ALPHV/BlackCat.\r\nHowever, this is expected, as the leaked LockBit 3.0 builder, also known as LockBit Black, is also identified by Intezer as\r\nBlackMatter for its use of BlackMatter source code.\r\nGiven the reported sophistication of the phishing emails and social engineering seen by BleepingComputer, it is likely that\r\nthe threat actors behind this campaign are using different lures for companies in other sectors.\r\nPhishing actors have extensively used the \"call to bid\" bait in campaigns impersonating private firms or government\r\nagencies and using well-crafted documents to convince of the legitimacy of their messages.\r\nNotorious ransomware gangs adopting similar practices for initial compromise is a worrying development, as posing as\r\nlegitimate customers could help them overcome obstacles like their targets' anti-phishing training.\r\nhttps://www.bleepingcomputer.com/news/security/spain-warns-of-lockbit-locker-ransomware-phishing-attacks/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/spain-warns-of-lockbit-locker-ransomware-phishing-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/spain-warns-of-lockbit-locker-ransomware-phishing-attacks/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/spain-warns-of-lockbit-locker-ransomware-phishing-attacks/"
	],
	"report_names": [
		"spain-warns-of-lockbit-locker-ransomware-phishing-attacks"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434013,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f3bc34c388d0fcb055bb3b8b607c713cac5153e.pdf",
		"text": "https://archive.orkl.eu/5f3bc34c388d0fcb055bb3b8b607c713cac5153e.txt",
		"img": "https://archive.orkl.eu/5f3bc34c388d0fcb055bb3b8b607c713cac5153e.jpg"
	}
}