A clear and well-thought-out social engineering campaign is paying off — dozens of firms ' data is encrypted.
Spain's National Police are warning of an ongoing "LockBit Locker" ransomware campaign targeting architecture companies in the country through phishing emails.
"A wave of emails sent to architectural companies was detected, although it is possible that the actions of intruders may spread to other sectors," the police said in a statement.
According to the police, the detected campaign has a high level of complexity, since victims do not suspect anything until their devices are fully encrypted.
Many emails in the malicious mailing list are sent on behalf of a nonexistent domain "fotoprix.eu". The attackers pretend to be a newly opened photo salon and allegedly want to order a reconstruction plan for the premises from an architectural firm.
After several emails to establish trust, the ransomware offers to set up a meeting to discuss the budget and details of the construction project, along with sending an archive of documents that should contain exact specifications for the architects ' calculations and preparation of a plan for the upcoming reconstruction.
This archive is a disk image in the ".img " format, which is automatically mounted as a removable Windows disk when opened. Inside the disk is the folder "fotoprix" with numerous Python scripts, batch and executable files. There is also a Windows shortcut called "Characteristics", which is launched by a malicious Python script.
The analysis of specialists showed that this script checks whether the user is a device administrator and, if so, introduces itself to startup and launches the LockBit ransomware to encrypt files.
Spanish police emphasize the "high level of sophistication" of these attacks, noting the sequence of communications that convince victims that they are interacting with real people who are genuinely interested in discussing the details of the architectural project.
Although the ransomware note mentions links to the well-known LockBit group, experts believe that hackers simply use the LockBit 3.0 malware constructor that leaked at the end of last year, which served as a convenient tool for hundreds of attacks, while the group itself has nothing in common with real LockBit hackers.
Given the sophistication of phishing emails and social engineering, it is likely that responsible attackers are already preparing plausible baits for other sectors of Spanish business. But nothing prevents them from expanding the geography of their attacks to other countries.
Criminals use of similar methods of initial penetration is extremely disturbing, as positioning themselves as legitimate clients can help hackers overcome obstacles such as anti-phishing training of targets, reliably lulling them into vigilance.
Spain's National Police are warning of an ongoing "LockBit Locker" ransomware campaign targeting architecture companies in the country through phishing emails.
"A wave of emails sent to architectural companies was detected, although it is possible that the actions of intruders may spread to other sectors," the police said in a statement.
According to the police, the detected campaign has a high level of complexity, since victims do not suspect anything until their devices are fully encrypted.
Many emails in the malicious mailing list are sent on behalf of a nonexistent domain "fotoprix.eu". The attackers pretend to be a newly opened photo salon and allegedly want to order a reconstruction plan for the premises from an architectural firm.
After several emails to establish trust, the ransomware offers to set up a meeting to discuss the budget and details of the construction project, along with sending an archive of documents that should contain exact specifications for the architects ' calculations and preparation of a plan for the upcoming reconstruction.
This archive is a disk image in the ".img " format, which is automatically mounted as a removable Windows disk when opened. Inside the disk is the folder "fotoprix" with numerous Python scripts, batch and executable files. There is also a Windows shortcut called "Characteristics", which is launched by a malicious Python script.
The analysis of specialists showed that this script checks whether the user is a device administrator and, if so, introduces itself to startup and launches the LockBit ransomware to encrypt files.
Spanish police emphasize the "high level of sophistication" of these attacks, noting the sequence of communications that convince victims that they are interacting with real people who are genuinely interested in discussing the details of the architectural project.
Although the ransomware note mentions links to the well-known LockBit group, experts believe that hackers simply use the LockBit 3.0 malware constructor that leaked at the end of last year, which served as a convenient tool for hundreds of attacks, while the group itself has nothing in common with real LockBit hackers.
Given the sophistication of phishing emails and social engineering, it is likely that responsible attackers are already preparing plausible baits for other sectors of Spanish business. But nothing prevents them from expanding the geography of their attacks to other countries.
Criminals use of similar methods of initial penetration is extremely disturbing, as positioning themselves as legitimate clients can help hackers overcome obstacles such as anti-phishing training of targets, reliably lulling them into vigilance.
