Phishing Attack Targeting Companies Worldwide

Sergiu Gatlan, writing in BleepingComputer, reports that on May 11, New Jersey’s Cybersecurity and Communications Integration Cell warned of a phishing attack targeting companies worldwide. The attackers use ZIP attachments containing an executable that deploys the LockBit Black payload and encrypts the recipients’ systems. Millions of phishing emails have been sent through the Phorpiex botnet.

The campaign is not believed to have any affiliation with the actual LockBit ransomware operation. The encryptor deployed in these attacks is probably built using the LockBit 3.0 builder that was leaked by a disgruntled developer on Twitter in September 2022.

The email subject lines are “your document” or “photo of you???” using “Jenny Brown” or “Jenny Green” aliases from over 1,500 IP addresses from locations including Kazakhstan, Uzbekistan, Iran, Russia, and China. The BleepingComputer article provides a sample email.

The attack begins when the recipient opens the ZIP archive attachment and executes the binary inside. That downloads a LockBit Black ransomware sample from the infrastructure of the Phorphiex botnet and executes it on the victim’s system. After launching, it attempts to steal sensitive data, terminate services, and encrypt files.

Proofpoint, a cybersecurity company, has been investigating the attacks since April 24. It says that the hackers target companies in various industry verticals worldwide. The method isn’t new, or particularly sophisticated, but it is distinguished by the massive number of emails sent to deliver the malicious payloads and ransomware.

“This is the first time Proofpoint researchers have observed samples of LockBit Black ransomware (aka LockBit 3.0) being delivered via Phorphiex in such high volumes,” said the company. Phorpiex’s operators hijacked 969 transactions and stole 3.64 Bitcoin ($172,300), 55.87 Ether ($216,000), and $55,000 worth of ERC20 tokens within a year.

New Jersey’s Cybersecurity and Communications Integration Cell recommends implementing ransomware risk mitigation strategies and using endpoint security solutions and email filtering solutions (like spam filters) to block potentially malicious messages.