Hackers are once again pushing out LockBit ransomware, but this time, some have been found to be using an old and widely available phishing platform called Phorpiex.
Proofpoint researchers, who have been observing the campaign since late April 2024, noted that an unidentified LockBit affiliate has been using the Phorpiex phishing kit to deliver LockBit Black (also known as LockBit 3.0) to as many endpoints as may be possible.
The campaign does not appear to be particularly targeted or personalized: the attackers are casting a wide net and are only looking at what is successful.
Bad intentions
The campaign also appears to lack personalization in terms of the phishing email itself. Proofpoint says that all emails come from the same address: Jenny@gsd[.]com – the same address seen in malware campaigns as early as January 2023. In the body of the email, the victim is asked to view the attached document and nothing else.
The attached file is a .ZIP file with an .EXE file that, if activated, removes LockBit 3.0. Interestingly, the ransomware locks the device locally and does not attempt to infiltrate through any networks. This could limit its encryption potential, but also prevent network detections and blocks.
LockBit is a well-known ransomware as a service, with different versions circulating on the dark web. Among the most popular versions are LockBit 2.0 and LockBit Green. This version, LockBit 3.0 (LockBit Black) was supposedly created in early summer 2022 by some of the ransomware's affiliates.
Earlier this year, a team of international law enforcement agencies engaged in a major campaign that disrupted LockBit's infrastructure, confiscating many devices and many cryptocurrencies extorted over the years, but since no arrests were made, LockBit It resurfaced about a week later.
