Ongoing LockBit Locker ransomware campaign reported in Spain

Architecture firms across Spain have been warned by the country's police force regarding an ongoing highly sophisticated LockBit Locker ransomware campaign, according to BleepingComputer. Phishing emails purporting to be from a new photography store seeking renovation plans and cost estimates have been sent by attackers to establish rapport with their target entities, which would later receive an archive with files detailing the renovation's specifics, said the National Police of Spain. Opening the archive, which is a disk image file, in later Windows versions would prompt file mounting as a drive letter while showing contents, including a folder with Python and batch files and executables, as well as a Windows shortcut facilitating malicious Python script execution. Such a script would enable LockBit Locker ransomware execution after establishing persistence in the compromised devices with admin users, while FodHelper UAC bypass has been exploited to deploy the encryptor in devices with users that are not admins. Threat actors leveraging the leaked LockBit 3.0 ransomware builder have been suspected by BleepingComputer to be behind the campaign.