LockBit Ransomware: The Hidden Threat in Resume Word Files

The AhnLab Security Intelligence Center has uncovered that the LockBit ransomware is being spread through malicious Word files disguised as resumes. This ransomware, first identified in 2022, employs external URLs in Word files to initiate its attack.

Once the Word file is opened, it connects to an external URL to download a document containing a malicious macro. This macro, when executed, triggers the VBA macro in the downloaded document, ultimately deploying PowerShell to download and run the LockBit ransomware.

This method of distribution is particularly insidious as it leverages seemingly innocuous resumes, making detection more challenging. The discovered filenames of these malicious Word files often appear as common names or phrases related to job applications.

“External link is included in the internal Word file \word\_rels\settings.xml.rels, and the document file that has additional malicious macro code is downloaded from the external URL when the Word file is run,” the researcher explains.

The analysis shows that the properties of these documents are similar to those used in past distributions, suggesting a pattern of reuse by the attackers.

The LockBit 3.0 ransomware, once downloaded and executed, encrypts files on the victim’s PC. Due to the various types of malware being distributed under the guise of resumes, the report advises users to exercise increased caution. The study highlights the evolving tactics of cybercriminals and the continuous need for vigilance in cybersecurity practices.