Since April, the Phorpiex botnet has been responsible for sending millions of phishing emails in a widespread LockBit Black ransomware campaign. These emails contain ZIP attachments with an executable file that, once opened, deploys the LockBit Black ransomware, encrypting the recipient’s system.
The LockBit Black encryptor used in this campaign is likely derived from the LockBit 3.0 builder leaked by a disgruntled developer on Twitter in September 2022. Despite this, the campaign is not believed to be connected to the official LockBit ransomware operation.
Phishing emails are sent with subjects like “your document” and “photo of you???” using aliases “Jenny Brown” or “Jenny Green.” These emails originate from over 1,500 unique IP addresses worldwide, including locations in Kazakhstan, Uzbekistan, Iran, Russia, and China.
The attack begins when the recipient opens the malicious ZIP file and runs the executable within. This executable downloads and launches a LockBit Black ransomware sample from the Phorpiex botnet’s infrastructure, leading to data theft, service termination, and file encryption on the victim’s system.
While this method is not new, the sheer volume of emails and the use of ransomware as the initial payload make this campaign notable, despite its lack of sophistication compared to other cyberattacks. Security researchers observed these high-volume campaigns, facilitated by the Phorpiex botnet, delivering LockBit Black ransomware starting April 24, 2024.
The Phorpiex botnet, also known as Trik, has been active for over a decade, evolving from a worm spread through USB storage and chat services into an IRC-controlled trojan utilizing email spam. Over the years, it has grown to control over 1 million infected devices. The botnet’s operators attempted to sell its source code on a hacking forum after shutting down the Phorpiex infrastructure.
In addition to this recent ransomware campaign, Phorpiex has been used to send millions of sextortion emails and deploy a clipboard hijacker module that replaces cryptocurrency wallet addresses with those controlled by attackers. This tactic resulted in the theft of significant amounts of cryptocurrency, including Bitcoin, Ether, and ERC20 tokens.
To prevent falling victim to the Phorpiex botnet’s ransomware campaign, organizations should implement robust email filtering solutions to block phishing emails before they reach users’ inboxes. Endpoint security solutions should be employed to detect and neutralize malicious attachments. Additionally, educating employees about recognizing phishing attempts and maintaining regular software updates can reduce the risk of exploitation.