{
	"id": "fb6882ee-8a34-45f7-b526-eeab1e65cf40",
	"created_at": "2026-04-06T00:21:42.477814Z",
	"updated_at": "2026-04-10T03:21:25.399312Z",
	"deleted_at": null,
	"sha1_hash": "897e0174c3b35e8171ea25afb1dd20e417733332",
	"title": "LockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1308814,
	"plain_text": "LockBit Ransomware Disguised as Copyright Claim E-mail Being\r\nDistributed - ASEC\r\nBy ATCP\r\nPublished: 2022-06-20 · Archived: 2026-04-05 19:46:11 UTC\r\nThe ASEC analysis team has once again discovered the distribution of LockBit ransomware using phishing e-mail, and disguising itself as copyright claims e-mail which was introduced in the previous blog. The filename of\r\nthe attachment in e-mail had password included, which is similar to that of phishing e-mail distributed last\r\nFebruary (see the link below).\r\nLockBit Ransomware Being Distributed Using Resume and Copyright-related Emails\r\nhttps://asec.ahnlab.com/en/35822/\r\nPage 1 of 6\n\nAs shown in Figure 2, the phishing e-mail has a compressed file as an attachment that contains another\r\ncompressed file inside.\r\nUpon decompressing the file in the compressed file, an executable disguised using a PDF file icon is found.\r\nAs shown in Figure 4, this file is confirmed to be a NSIS File. Looking into the nsi script detail, it decodes the\r\ndata file ‘162809383’ and performs malicious behaviors through recursions and injections.\r\nhttps://asec.ahnlab.com/en/35822/\r\nPage 2 of 6\n\nThis ransomware prevents recovery by deleting volume shadow copy. Furthermore, to make sure the ransomware\r\nruns continuously, it registers Run Key to registry and drops LockBit_Ransomware.hta on the desktop to keep it\r\nrunning even after a desktop change or a reboot.\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nbcdedit /set {default} recoveryenabled no\r\nvssadmin delete shadows /all /quiet\r\nwmic shadowcopy delete\r\nTable 1. Execution command\r\nIt then terminates multiple services and processes to avoid detection of file infection behavior and analysis.\r\nwrapper, vmware-converter, vmware-usbarbitator64, MSSQL, MSSQL$, sql and etc.\r\nTable 2. Terminated services\r\nwinword.exe, QBDBMgr.exe, 360doctor.exe, Adobe Desktop Service.exe, Autorunsc64a.exe,\r\nSysmon.exe, Sysmon64.exe, procexp64a, procexp64a.exe, procmon.exe, procmon64.exe,\r\nprocmon64a, procmon64a.exe, Raccine_x86, ProcessHacker.exe and etc.\r\nTable 3. Terminated processes\r\nThe encryption happens after certain services and processes are terminated. If the drive type is\r\nDRIVE_REMOVABLE, DRIVE_FIXED, or DRIVE_RAMDISK, it will also be encrypted. Extensions and name\r\nof folders or files that are excluded from encryption are as follows:\r\nsystem volume information, windows photo viewer, windowspowershell, internet explorer,\r\nwindows security, windows defender, $recycle.bin, Mozilla, msbuild, appdata, windows and etc.\r\nTable 4. Folders excluded from encryption\r\nhttps://asec.ahnlab.com/en/35822/\r\nPage 3 of 6\n\n.mp4 .mp3 .reg .ini .idx .cur .drv .sys .ico .lnk .dll .exe .lock .lockbit .sqlite .accdb .lzma .zipx .7z\r\n.db and etc.\r\nTable 5. Extensions excluded from encryption\r\nEncrypted files have an extension named .lockbit and a certain icon. Also, a ransom note named ‘Restore-My-Files.txt’ is created in the encrypted folder.\r\nAs shown above, the distribution of ransomware disguised as copyright-related claims has been continually done\r\nin the past. Because emails distributing such malware types may include names of actual illustrators, users may\r\nrun attached files without realizing it. Hence they should take extreme caution.\r\n[File Detection]\r\nMalware/Gen.Reputation.C4312359\r\n[Behavior Detection]\r\nMalware/MDP.SystemManipulation.M1751\r\nhttps://asec.ahnlab.com/en/35822/\r\nPage 4 of 6\n\nMD5\r\n3a05e519067bea559491f6347dd6d296\r\n74a53d9db6b2358d3e5fe3accf0cb738\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/35822/\r\nPage 5 of 6\n\nSource: https://asec.ahnlab.com/en/35822/\r\nhttps://asec.ahnlab.com/en/35822/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/35822/"
	],
	"report_names": [
		"35822"
	],
	"threat_actors": [],
	"ts_created_at": 1775434902,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/897e0174c3b35e8171ea25afb1dd20e417733332.pdf",
		"text": "https://archive.orkl.eu/897e0174c3b35e8171ea25afb1dd20e417733332.txt",
		"img": "https://archive.orkl.eu/897e0174c3b35e8171ea25afb1dd20e417733332.jpg"
	}
}