Affiliates of the infamous ransomware group LockBit have launched a potentially devastating new weaponized email tactic designed to cause maximum disruption to millions of companies in the US and around the world.
At the end of April this year, researchers at cybersecurity firm Proofpoint began to observe high-volume ransomware campaigns sending out millions of fraudulent emails over a one-week period, facilitated by the Phorpiex botnet. In all cases, email messages purported to come from “Jenny Green” with the email address Jenny@gsd[.]com. These contained an attached ZIP file capable of downloading the LockBit Black ransomware payload from Phorpiex botnet infrastructure.
Proofpoint has observed a cluster of activity using the same “Jenny Green” alias with lures related to “Your Document” delivering Phorpiex malware in email campaigns since at least January 2023. But this is the first time Proofpoint researchers have observed samples of LockBit Black ransomware (aka LockBit 3.0) being delivered via Phorpiex in such high volumes. The LockBit Black ransomware is thought to have been built using the LockBit builder that was leaked on Twitter during the summer of 2023.
Emails targeted multiple verticals across the globe
“The emails targeted organizations in multiple verticals across the globe and appeared to be opportunistic versus specifically targeted. While the attack chain for this campaign was not necessarily complex compared to what has been observed on the cybercrime landscape so far in 2024, the high-volume nature of the messages and use of ransomware as a first-stage payload is notable,” says Proofpoint.
To succeed, the attack chain requires user interaction and starts when an end user executes the compressed executable payload in the attached ZIP file. If successful, the LockBit Black sample is downloaded and detonated on the end user’s system, where it exhibits data theft behavior and seizes the system, encrypting files and terminating services. Proofpoint Threat Research has not attributed this campaign to a known threat actor, as Phorpiex is a basic botnet designed to deliver malware via high-volume email campaigns.
The research evidences the rapid growth of Malware-as-a-Service (MaaS) attacks in 2024. While these attacks may not be as tough to detect as socially engineered spear-phishing attacks aimed at key individuals, MaaS software such as Phorpiex offers even relatively unskilled cyber criminals an unprecedented opportunity to scale up future attacks to target millions of potential victims at a time.
