The notorious LockBit ransomware group strikes again. Called “LockBit Black Ransomware Campaign”, its new phishing offensive is wreaking havoc by exploiting the Phorpiex botnet to flood mailboxes.
Did you think the LockBit cybercriminals were neutralized? Nay, despite the identification of its mastermind, Dmitry Khoroshev, aka LockBitSupp. New Jersey cybersecurity experts have just sounded the alarm on new tactics deployed by this particularly prolific ransomware gang.
Dubbed “LockBit Black Ransomware Campaign”, this large-scale malicious operation exploits the resources of the Phorpiex botnet, similar to Twizt, known in 2021 for having looted half a million dollars in cryptos.
The technique ? Exploiting the LockBit 3.0 botnet to mass distribute malware disguised as seemingly innocuous ZIP attachments. But once unzipped and opened by the victim, they transform into a Trojan horse which is triggered to download a devastating virus. The damage risks being colossal with this new coup from a group which does not seem to want to let down its guard.
LockBit uses the Phorpiex botnet to spread its ransomware campaign
To hit a maximum of targets with a minimum of effort and time, the famous pro-Russian gang did not skimp on means. He used the Phorpiex botnet to carry out a large-scale email phishing attack. Since April 2024, it has flooded unsuspecting recipients with around 9 million emails containing malicious ZIP attachments.
LockBit’s attack method is simple but effective, as is often the case. The group exploits the LockBit 3.0 botnet to distribute malware, which will be used to collect data useful to the group to carry out their ransomware campaign. Once the target clicks on the attachment, the download of a binary file is triggered.
Security researchers, including those from ProofPoint, analyzed phishing emails associated with this campaign. They observed a multitude of subject lines, including “Your Document,” “Photo of You,” and names like Jenny Brown and Jenny Green. The emails come from more than 1,500 separate addresses around the world, covering regions including China, Russia, Iran, Uzbekistan and Kazakhstan.
Stop being fooled by phishing and ransomware attempts
As is customary, the very official New Jersey State Cybersecurity and Communications Integration Unit (NJCCIC), which was behind the discovery of this new LockBit ransomware campaign, has published recommendations of caution to its employees and training in the detection of phishing campaigns. This is what Clubic also does with its readers, providing them with advice on how to avoid falling victim to a ransom demand after their personal data is stolen.
Be extremely vigilant regarding the sender of messages received. An unknown email address, containing spelling mistakes or suspicious characters, should alert you. Compare it to the official addresses used by the sender in previous communications, if any. If they differ, take a cautious stance. The date and time of sending can also indicate a scam: an email from a sender who is not used to being active at these unusual times should raise doubts.
The content of the message may reveal a phishing attempt. Fraudulent emails are often full of spelling mistakes, adopt an unrealistic or insistent tone, and play on an emotional register to push you to react urgently. Be particularly wary of alarmist messages. Finally, as a precaution, never click on attachments or hypertext links present in an email of unknown origin, as these may conceal malicious software that is harmful to your device. Hover over links without clicking to check the redirect URL.
Sources: ProofPoint, Cybersecurity Insiders, NJCCIC
5