Botnet Sent Millions of Emails in LockBit Black Ransomware Campaign

New Jersey's Cybersecurity and Communications Integration Cell (NJCCIC) disclosed that it uncovered a new LockBit campaign where actors are sending millions of phishing emails with the help of the Phorpiex botnet to infect potential victims with LockBit Black, an encryptor that was likely built using the LockBit 3.0 builder that was leaked by a disgruntled developer on Twitter in September 2022. According to NJCCIC, phishing emails with "your document" and "photo of you???" subject lines are being sent using "Jenny Brown" or "Jenny Green" aliases. Over 1,500 unique IP addresses have been observed sending these emails, which originate from Kazakhstan, Uzbekistan, Iran, Russia, China, and other countries. These emails typically contain ZIP attachments which include a malicious executable designed to deploy the LockBit Black payload and encrypt files on the targeted system.

Security Officer Comments:
The latest campaign doesn’t seem to be targeted and is not believed to have any affiliation with the actual LockBit ransomware operation. Rather, less sophisticated actors are using the leaked LockBit builder to deploy their own encryptor in attacks. Since April 2024, researchers at Proofpoint have observed a high volume of campaigns with millions of messages facilitated by the Phorpiex botnet to deliver LockBit Black ransomware. By sending emails to the masses, these actors are hoping that some victims will fall for the lure and click on the ZIP attachment, in turn initiating the infection.

Suggested Corrections:
To defend against phishing attacks that push ransomware, NJCCIC recommends implementing ransomware risk mitigation strategies and using endpoint security solutions and email filtering solutions (like spam filters) to block potentially malicious messages.