LockBit Black ransomware is at the heart of new phishing emails

Computer systems are vulnerable to cyberattack. Image (C) Tim Sandle

A new high-volume malicious code-laden email campaign has been hitting businesses hard in the U.S. The technology firm Cofense Intelligence has been tracking this large-scale phishing campaign, which is being sent through the Phorpiex botnet. The malicious code deploys LockBit Black ransomware.

LockBit ransomware is a malicious software that blocks user access to computer systems in exchange for a ransom payment. The code is self-spreading and the bad actors behind its deployment tend to target those with the ability to pay a large ransom.

Looking into the significance is Dylan Duncan, Cyber Threat Intelligence Analyst at Cofense,.

Duncan begins by assessing the potential origin of the cyber-incident: “While it’s unclear where this version of LockBit originated from, it’s believed to be created from a variant of LockBit that was leaked.”

As to the specifics, Duncan explains: “The campaign utilizes the Phorpiex botnet, also known as Trik, which is a basic botnet but still has the capabilities to disseminate a high volume of emails. In this case, that is exactly how the botnet is being used.”

As to the implications: “Quantity over quality is the best way to describe this campaign as the emails are very simple, sent at high volume, and do not appear to be targeting any specific sector.”

This carries a significant risk to many firms: “Nevertheless, it is always a high-level threat when there is a risk of a ransomware infection and unfortunately this is the case. The emails identified by Cofense have already proven capable of successfully bypassing security infrastructure like spam filters. This is unfortunate given there aren’t any complex tactics, techniques, or procedures (TTPs) involved in the phishing emails.”

Standard defences have not proved to be successful in the latest round. Ducan observes: “The phishing email, used to deliver the LockBit Black ransomware, was found in environments protected by Microsoft APT and TrendMicro.”

Further with the attack mode, Duncan notes: “It delivers a ZIP archive that contains an SCR file, that when run by a user, infects the target with ransomware. The email lure is relatively simple just referencing an attached document and a request for a quick response.”

Recounting these further, Duncan says: “This first batch of emails were all sent from “Jenny Green” which has become quite notorious for this campaign, but it wouldn’t be difficult for the threat actors to change this in future emails.” With this, Ducan strikes a note of caution for the business community.