Since April, millions of phishing emails have been distributed via the Phorpiex botnet as part of a large-scale LockBit Black ransomware campaign. The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) recently warned about this ongoing threat. Attackers are using ZIP attachments containing executables that deploy the LockBit Black payload, which encrypts recipients’ systems upon execution. This campaign leverages the LockBit 3.0 builder, which was leaked in 2022, although it is not directly affiliated with the original LockBit ransomware group.
Phishing emails in this campaign often use subject lines like “your document” and “photo of you???” and are sent from aliases such as “Jenny Brown” or “Jenny Green.” These emails originate from over 1,500 unique IP addresses globally, including locations in Kazakhstan, Uzbekistan, Iran, Russia, and China. The attack chain begins when a recipient opens the malicious ZIP archive and executes the binary inside, leading to the download and execution of the LockBit Black ransomware from the Phorpiex botnet infrastructure. The ransomware then attempts to steal sensitive data, terminate services, and encrypt files on the victim’s system.
Proofpoint, a cybersecurity company, has been investigating these attacks since April 24. They reported observing millions of messages facilitated by the Phorpiex botnet, delivering LockBit Black ransomware in high volumes. This approach, while not new, is notable for the sheer scale of emails sent and the use of ransomware as the initial payload. The Phorpiex botnet, also known as Trik, has a long history of malicious activities, including spreading via USB storage and chat applications, delivering sextortion emails, and hijacking cryptocurrency transactions.
To defend against these phishing attacks, NJCCIC recommends implementing ransomware risk mitigation strategies, using endpoint security solutions, and deploying email filtering solutions like spam filters to block potentially malicious messages. Staying vigilant and updating security measures are crucial in mitigating the risks posed by this widespread campaign.
Reference:
