May 13, 2024 at 03:22PM
A new large-scale LockBit Black ransomware campaign has been sending millions of phishing emails since April, utilizing the Phorpiex botnet. The campaign uses ZIP attachments containing an executable deploying the LockBit Black payload to encrypt systems. The phishing emails originate from various aliases and are sent from over 1,500 unique IP addresses worldwide. Defenses against such attacks are recommended by the NJCCIC.
Following the meeting notes, the takeaways are as follows:
1. A new large-scale LockBit Black ransomware campaign has been sending millions of phishing emails via the Phorpiex botnet, with attackers using ZIP attachments containing an executable to deploy the LockBit Black payload, which encrypts recipients’ systems upon launch.
2. The LockBit Black encryptor deployed in these attacks is likely built using the LockBit 3.0 builder leaked by a disgruntled developer on Twitter in September 2022, although this campaign is not believed to have any affiliation with the actual LockBit ransomware operation.
3. These phishing emails with “your document” and “photo of you???” subject lines are being sent using “Jenny Brown” or “Jenny Green” aliases from over 1,500 unique IP addresses worldwide, including Kazakhstan, Uzbekistan, Iran, Russia, and China.
4. The attack chain begins when the recipient opens the malicious ZIP archive attachment and executes the binary inside, which then downloads a LockBit Black ransomware sample from the infrastructure of the Phorphiex botnet and executes it on the victim’s system, attempting to steal sensitive data, terminate services, and encrypt files.
5. Proofpoint has been investigating these spray-and-pray attacks since April 24, observing high-volume campaigns with millions of messages facilitated by the Phorpiex botnet and delivering LockBit Black ransomware.
6. The Phorpiex botnet, also known as Trik, has been active for over a decade and has evolved from a worm to an IRC-controlled trojan that recently incorporated a clipboard hijacker module to replace cryptocurrency wallet addresses with attacker-controlled ones.
7. To defend against phishing attacks pushing ransomware, NJCCIC recommends implementing ransomware risk mitigation strategies and using endpoint security solutions and email filtering solutions to block potentially malicious messages.
These takeaways will provide a clear overview of the key points discussed in the meeting.