Millions of emails containing LockBit ransomware were deployed daily at the end of April with the help of the Phorpiex botnet, Proofpoint researchers revealed Tuesday.
Click for more special coverage
The campaign was the first time researchers had seen Phorpiex used to spread LockBit ransomware at such high volumes. Phorpiex, also known as Trik or Tldr, was believed to comprise more than 1 million Windows computers as of 2019, according to Check Point Research, and is offered as a service to spread phishing and malware-loaded emails.
The LockBit variant used in the recent campaign was LockBit Black, also known as LockBit 3.0, indicating the unidentified threat actor behind the campaign likely sourced it from the LockBit builder that was leaked in 2022.
Facilitated by the botnet’s resources, millions of emails from senders “Jenny Green” or “Jenny Brown” with subject lines such as “Your Document” and “Photo of you???” were deployed in a seemingly opportunistic manner, in the hopes that unsuspecting recipients would open an attached ZIP file containing the malware executable.
“Although not often observed, it’s worth noting that ransomware can still be delivered as a first-stage payload in email threat data. The attack chain is not sophisticated, but the actor does use business relevant content and ‘documents’ as a lure theme to potentially try and blend in with legitimate emails to get an unsuspecting user to interact with the content,” Proofpoint Threat Researcher Selena Larson told SC Media.
The executable contained in the ZIP file makes a callout to Phorpiex, which downloads the LockBit sample, ultimately encrypting the victim’s files and dropping a ransom note, as well as exhibiting “data theft behavior.”
Proofpoint noted that while Phorpiex has been active since around 2011, it only began facilitating ransomware delivery and data exfiltration activities beginning in 2018. Ransomware as a first-stagey payload delivered through emails at high volumes had also not been observed by the researchers prior to 2020.
“This campaign has been particularly notable due to the high volume of messages in the millions per day, volumes not commonly observed on the landscape. The number of messages and cadence associated with recently observed LockBit Black campaigns are at a volume not seen in malspam since Emotet campaigns,” the researchers wrote.
How to combat ransomware spam
While the distribution of ransomware like LockBit directly through email is unusual, this attack method shows the importance of proactive and human-centric security strategies, said Larson. With the leak of the LockBit builder putting dangerous malware in the hands of less sophisticated threat actors, even the lowest complexity attack chains can result in disastrous data loss and breaches.
“The first line of defense against ransomware is ensuring an organization is protected from initial infection. In other words, block the loader and you block the ransomware,” Larson said. “In this campaign, Proofpoint proactively blocked the email threat from hitting our customers’ inboxes.”
Social engineering via email continues to be an effective strategy for bad actors, with Verizon’s 2024 Data Breach Investigations Report (DBIR) revealing that it takes only 21 seconds on average for a user to click on a phishing simulation link. Additionally, KnowBe4’s 2023 Phishing By Industry Benchmarking study found nearly a third (33.2%) of employees fall for phishing simulations.
The simplicity and effectiveness of email phishing campaigns makes distribution of ransomware as a first-stage payload an appealing strategy for opportunistic threat actors, especially with the help of botnet infrastructure like Phorpiex to scale the campaign.
“That’s why proactive protection is critical, and that also includes a robust ransomware prevention plan involving human-centric security, ensuring your employees are trained based on real-world attack techniques. It detects and blocks ransomware and malware downloaders that target your people. It helps you quickly respond and take the necessary action before something goes wrong,” Larson said.
