LockBit Ransomware Uses Resume Word Files to Spread

LockBit Ransomware Uses Resume Word Files to Spread

An ASEC investigation has uncovered the latest tactics employed by the notorious LockBit ransomware. Under the guise of “post-paid pentesters,” the ransomware now adopts the strategy of appearing as harmless summaries within Word documents. Interestingly, this tactic echoes its historical modus operandi. This shrewd approach enables the ransomware to discreetly infiltrate systems without detection.


The LockBit ransomware, renowned for its destructive effects, is now being distributed through Word files camouflaged as resumes. This method, initially identified in 2022, has since evolved into a widespread tactic for disseminating this particular ransomware.

The main strategy entails the incorporation of malicious macros within Word documents. Upon opening these documents, the embedded macros initiate the download of supplementary code from external URLs, leading to the execution of the LockBit ransomware. Notably, the filenames of these malicious Word files often mimic common names or phrases associated with job applications.

Here is a list of Word file names that were identified as spreading malware:

  1. [[[231227_Yang**]]].docx
  2. 231227_Lee**.docx
  3. 231227Yu**,docx
  4. Kim**.docx
  5. SeonWoo**.docx
  6. Working meticulously! A leader in communication!.docx
  7. Candidate with a kind attitude and a big smile.docx
  8. I will work with an enthusiastic attitude.docx

Upon opening any of these Word files, the document establishes a connection to an external URL, downloading another document that harbors a malicious macro. Upon execution of this macro, it initiates the deployment of the LockBit ransomware through PowerShell commands.

The downloaded document files encompass obfuscated macro code, reminiscent of VBA macro cases identified in 2022. Ultimately, the execution of PowerShell is employed to download and run the LockBit ransomware.

Upon completing the encryption process, the ransomware modifies the desktop to display a notification visible to the user. Additionally, the ransomware generates a ransom note in every folder, conveying that all data within the system has been encrypted and pilfered. The user is subsequently threatened with the potential public exposure of the data on the Internet if they decline to pay the ransom.


Security professionals are recommended to blacklist the following IP addresses associated with LockBit 3.0 ransomware:

  1. hxxps://viviendas8[.]com/bb/qhrx1h.dotm
  2. hxxps://learndash.825testsites[.]com/b/fgi5k8.dotm
  3. hxxps://neverlandserver.nn[.]pe/b/ck0zcn.dotm

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!