Hackers are once again spreading the LockBit ransomware, but this time some have been spotted using an old and widely available phishing platform called Phorpiex.
Proofpoint researchers, who have been observing the campaign since late April 2024, noted that an unidentified LockBit partner has used the Phorpiex phishing kit to deliver LockBit Black (aka LockBit 3.0) to as many endpoints as possible.
The campaign doesn’t seem particularly targeted or personalized: the attackers are casting a wide net and just looking at what sticks.
Bad intention
It also appears that the campaign has no personalization in terms of the phishing email itself. Proofpoint says all emails come from the same address – Jenny@gsd(.)com – the same address found in malware campaigns as early as January 2023. The body of the email tells the victim to view the email, the document attached, and nothing more.
The attachment is a .ZIP archive containing an .EXE file that, when activated, drops LockBit 3.0. Interestingly, the ransomware locks the device locally and does not attempt to deworm itself over networks. This can limit the encryption potential, but also prevents network detections and blocks.
LockBit is a well-known ransomware-as-a-service, with several versions circulating on the darknet. The most popular versions include LockBit 2.0 and LockBit Green. This version, LockBit 3.0 (LockBit Black), is said to have been created in early summer 2022 by some of the ransomware’s affiliates.
Earlier this year, a team of international law enforcement agencies were involved in a major campaign that disrupted LockBit’s infrastructure, seized many devices and extorted many cryptocurrencies over the years – but since no arrests were made, LockBit resurfaced about a week later on.