Since April, millions of phishing emails have been sent through the Phorpiex botnet to conduct a large-scale LockBit Black ransomware campaign.
As New Jersey's Cybersecurity and Communications Integration Cell warned on Friday, the attackers use ZIP attachments containing an executable that deploys the LockBit Black payload, which encrypts the recipients' systems if launched.
The LockBit Black encryptor deployed in these attacks is likely built using the LockBit 3.0 builder leaked by a disgruntled developer on Twitter in September 2022.
This campaign is not believed to have any affiliation with the actual LockBit ransomware operation.
The attack chain begins when the recipient opens the malicious ZIP archive attachment and executes the binary inside.
This executable then downloads a LockBit Black ransomware sample from the infrastructure of the Phorphiex botnet and executes it on the victim's system.
It will attempt to steal sensitive data, terminate services, and encrypt files.
Cybersecurity company Proofpoint, which has been investigating these spray-and-pray attacks since April 24, said on Monday that the threat actors target companies in various industry verticals worldwide.
Although this approach is not new, the massive number of emails sent to deliver the malicious payloads and ransomware being used as a first-stage payload make it stand out even though it lacks the sophistication of other cyberattacks.
The Phorpiex botnet has been active for over a decade.
It evolved from a worm that spread via removable USB storage and Skype or Windows Live Messenger chats into an IRC-controlled trojan that used email spam delivery.
While it slowly grew to a massive size, controlling over 1 million infected devices after years of activity and development, the botnet's operators tried selling the malware's source code on a hacking forum after shutting down the Phorpiex infrastructure.
The Phorpiex botnet has also been used to deliver millions of sextortion emails and, more recently, used a clipboard hijacker module to replace cryptocurrency wallet addresses copied to the Windows clipboard with attacker-controlled ones.
Within a year after adding crypto-clipping support, Phorpiex's operators hijacked 969 transactions and stole 3.64 Bitcoin, 55.87 Ether, and $55,000 worth of ERC20 tokens.
To defend against phishing attacks that push ransomware, NJCCIC recommends implementing ransomware risk mitigation strategies and using endpoint security solutions and email filtering solutions to block potentially malicious messages.
CISA: Black Basta ransomware breached over 500 orgs worldwide.
Ascension redirects ambulances after suspected ransomware attack.
Ohio Lottery ransomware attack impacts over 538,000 individuals.
University System of Georgia: 800K exposed in 2023 MOVEit attack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 13 May 2024 19:20:05 +0000