According to AhnLab researchers, LockBit ransomware affiliates are tricking users into downloading malicious documents via emails disguised as copyright claims.

The emails warned victims of copyright infringement, accusing them of using media files without the license of the author. In the email, recipients were asked to remove the infringing content from their websites or face legal action.

The recipients were asked to download and open the attached files to see the content of the infringement.

The attached document is a password-protected ZIP archive containing a compressed file. In the compressed file is an executable file disguised as a PDF document which in reality is an NSIS installer.

When the victim opens the alleged PDF document, the malware loads and encrypts the device with the LockBit 2.0 ransomware.

Copyright claims are important for publishers of content, but should be flagged if the claims are ambiguous, and ask them to open attachments to display the infringement details.

The tactic of copyright infringement while prominent is not limited to LockBit ransomware attackers alone. LockBit, however, remains the most dominant ransomware group with the most victims. According to NCC Group “Threat Pulse” report for May 2022, LockBit 2.0 accounted for 40 per cent or all (236) ransomware attacks reported in May.