Threat Research

Millions of Messages Disseminate LockBit Black Ransomware

Proofpoint

Proofpoint tracked a week-long, high-volume malspam campaign using the Phorpiex botnet to deliver LockBit Black ransomware. The messages impersonated “Jenny Green” and included ZIP attachments that download the ransomware payload from Phorpiex, marking a rare large-scale use of ransomware as an initial payload. hashtags #LockBitBlack #Phorpiex #JennyGreen

Keypoints

  • Massive malspam campaign delivering LockBit Black (LockBit 3.0) as a first-stage payload via the Phorpiex botnet.
  • Emails contained an attached ZIP file with an executable (.exe) that downloads the ransomware payload.
  • Campaigns targeted organizations across multiple verticals globally in an opportunistic rather than highly targeted fashion.
  • Execution requires user interaction; the end user running the executable triggers the attack chain.
  • The .exe initiates a network callout to Phorpiex infrastructure to download and detonates the LockBit Black sample on the host.
  • Not attributed to a known threat actor; Phorpiex has a long history as a Malware-as-a-Service botnet used for ransomware delivery.
  • LockBit Black (3.0) was built from a leaked ransomware builder, enabling customized versions.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – high-volume emails delivering a ZIP with an executable to download the ransomware. “The emails contained an attached ZIP file with an executable (.exe).”
  • [T1105] Ingress Tool Transfer – the .exe binary will initiate a network callout to Phorphiex botnet infrastructure. “The .exe binary will initiate a network callout to Phorphiex botnet infrastructure.”
  • [T1204.002] User Execution – the attack chain requires user interaction and starts when an end user executes the compressed executable in the attached ZIP file. “requires user interaction and starts when an end user executes the compressed executable in the attached ZIP file.”
  • [T1486] Data Encrypted for Impact – after download, the sample encrypts files and terminates services. “encrypting files and terminating services.”
  • [T1041] Exfiltration – the campaign exhibits data theft behavior, indicating data exfiltration activities. “exhibits data theft behavior and seizes the system.”

Indicators of Compromise

  • [Email Address] Sender addresses – Jenny Green , Jenny Brown , and other sender addresses observed
  • [Subject] Message subjects – “Your Document” and “Photo of you???”
  • [File Name] Payload-related files – Document.zip, Document.doc.scr, and lbb.exe (and other payload files)
  • [SHA256] File hashes – 01cd4320fa28bc47325ccbbce573ed5c5356008ab0dd1f450017e042cb631239, 7bf7dfc7534aec7b5ca71d147205d2b8a3ce113e5254bb342d9f9b69828cf8ee (and other hashes)
  • [IP Address] Payload Delivery IPs – 185.215.113[.]66, 193.233.132[.]177 (and other delivery IPs)

Read more: https://www.proofpoint.com/us/blog/threat-insight/security-brief-millions-messages-distribute-lockbit-black-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint