Analysis Summary

The recent large-scale LockBit Black ransomware campaign, facilitated through millions of phishing emails sent via the Phorpiex botnet underscores the evolving threat landscape faced by organizations worldwide.

These malicious emails, often using deceptive subject lines like "your document" or "photo of you???", contain ZIP attachments housing executables that deploy the LockBit Black payload upon opening. The attackers leverage aliases such as "Jenny Brown" or "Jenny Green" and operate from a vast network of over 1,500 unique IP addresses spanning countries like Kazakhstan, Uzbekistan, Iran, Russia, and China.

The attack chain initiates when unsuspecting recipients execute the binary found within the ZIP attachment, triggering the download and execution of the LockBit Black ransomware from the Phorpiex botnet's infrastructure. This ransomware, likely derived from the leaked LockBit 3.0 builder, is designed to encrypt victims' systems, steal sensitive data and disrupt services. Notably, this campaign is distinct from the original LockBit ransomware operation.

A cybersecurity company investigating these attacks since April 24, 2024, has observed unprecedented levels of phishing email activity orchestrated by the Phorpiex botnet, with millions of messages delivered daily to companies across various industry verticals globally. The scale and intensity of this attack highlight a departure from traditional methods where ransomware is deployed as an initial payload via phishing emails albeit lacking the sophistication of more targeted cyberattacks.

The Phorpiex botnet, known for its longevity and evolution over the past decade, has transitioned from spreading via removable USB storage and instant messenger chats to orchestrating massive email spam campaigns. It has also been associated with crypto theft through clipboard hijacking techniques. Despite periodic attempts to sell its source code on hacking forums, the botnet's operators continue to adapt their tactics demonstrating resilience and innovation in their illicit activities.

To defend against such phishing-driven ransomware attacks, cybersecurity experts recommend implementing robust ransomware risk mitigation strategies. These strategies include deploying endpoint security solutions employing email filtering mechanisms (such as spam filters) to intercept malicious emails and enhancing user awareness through training on recognizing and avoiding phishing attempts. These proactive measures are crucial in safeguarding organizations against the escalating threat posed by ransomware campaigns orchestrated through botnet-driven phishing operations.

Impact

• Sensitive Data Theft
• Financial Loss
• File Encryption

Indicators of Compromise

SHA1

• c3f2c197cb24762dc12d084581bf2540aab96b57
• b17464ff64797f4b69fdedaa67aadad3f319dd43
• 27152508510776e14928b4cf9e9931f9e0e1e239
• 76eeca62399de1020b9b434d660ccc84790316c3
• 30a041db4d803b5d2ed17b98c72d951ef8583baa
• b482463c47425a5da5d80d333c74e0513108dcde

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups - In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.