The emails were from AhnLab (via bleeding computer) discovers and informs the operator that allegedly copyrighted content is being used on the platform. The administrator is prompted to view the affected files and then remove them. However, the link refers to a password-protected ZIP archive containing a compressed file. This prevents detection by security tools. The executable program is disguised as a PDF document. In reality, it is an NSIS installer that installs the LockBit 2.0 encryption Trojan.
The link in the fake copyright infringement email points to ransomware
Messages must name files
However, experienced administrators in particular should be able to recognize the phishing emails relatively easily. In a legitimate copyright notice, the affected documents are usually directly named. If it is not stated which file it is, it can usually be assumed that it is a fake message.
It is unusual for the operator to first have to load a file from a third-party server in order to be able to compare it with its content and eliminate the violation. Therefore, users should not open attachments and links from emails from unknown senders. Should this be necessary, a secure environment should be used.
Download Kaspersky Anti-Ransomware – Free Protection
Download CryptoSearch – find encrypted files
See also:
