Skip to main content

This fake copyright scam is infecting PCs with ransomware — what to know

Man looking at a locked computer
(Image credit: Shutterstock)

Cybercriminals have launched a new phishing campaign that uses alleged copyright violations as a means to infect the systems of unsuspecting users with ransomware.

As reported by BleepingComputer (opens in new tab), recipients of these emails are warned that they used media files online without a license from their creator and that they must remove the content in question from their website or face legal action.

According to a blog post (opens in new tab) from the antivirus company AhnLab which first discovered the campaign, the emails themselves don’t specifically state what content was used without permission. Instead, recipients are urged to download and open an email attachment for more information.

The attachment is a password-protected ZIP file which contains an executable file disguised as a PDF. By entering the password contained in the email, unsuspecting users think they’ll find out more regarding the alleged copyright violation. However, doing so actually loads and encrypts a user’s devices with the LockBit 2.0 ransomware.

Ransomware-as-a-service model

Hand paying to unlock a system locked by ransomware

(Image credit: Shutterstock)

Unlike with other ransomware, LockBit uses a ransomware-as-a-service (RaaS) model in which cybercriminals pay for access to the malware to use in their own attacks.

In addition to earning a malware’s creator more, this business model also helps shield them from some legal risk as they aren’t personally infecting individuals and businesses with ransomware. The cybercriminals who purchase access to malware (likely on dark web hacking forums) to use in their attacks are known as affiliates.

At the same time, using an RaaS model helps expand accessibility and the potential reach of a particular ransomware strain. This is because many different cybercriminals are using the same ransomware to attack multiple targets as opposed to a single group.

When it comes to the most popular RaaS providers, LockBit is right up there with REvil, Maze, Ryuk and DarkSide. It’s also worth noting that several ransomware gangs including Maze have begun creating their own data leak sites in an attempt to coerce victims into paying their ransom demands. If a victim doesn’t pay up, their data is released publicly and available for other hackers to use in their attacks.

As copyright violation scams have become more prevalent in recent years, it’s worth keeping a close eye on your inbox to avoid falling victim to one yourself.

First off, you should always be hesitant when an email or message tries to instill a sense of urgency and use your emotions against you. If you’re worried about a potential lawsuit for misusing an image on your website or on social media, you’re more likely to click on malicious links or attachments. This is why you should try to keep your cool and carefully read over emails from unknown senders before replying, clicking on links or downloading attachments. Even then though, you should likely avoid clicking on or downloading anything from someone you don’t personally know online.

When it comes to phishing emails and other scams, spelling and grammatical errors can be a major red flag. As many cybercriminals don’t live in English-speaking countries, they are more likely to make common spelling or grammatical mistakes that a native speaker wouldn’t. Likewise, you should also examine the email address as well as the URLs of any links for spelling inaccuracies as this could be an attempt at brand impersonation.

Even if you do happen to misuse copyrighted material on social media, you’re more likely to get a copyright strike first before receiving an email informing you about possible legal action. This means that you’ll get a message on the social media platform from the company itself instead of from the actual copyright holder over email.

Anthony Spadafora
Anthony Spadafora

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.