Millions of phishing emails sent through botnet to push LockBit ransomware

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

Hackers are, once again, pushing out the LockBit ransomware, but this time around, some have been spotted using an old and widely available phishing platform called Phorpiex.

Researchers from Proofpoint, who have been observing the campaign since late April 2024, noted an unidentified LockBit affiliate has been using the Phorpiex phishing kit to deliver LockBit Black (also known as LockBit 3.0) to as many endpoints as possible. 

The campaign doesn’t seem to be particularly targeted, or personalized - the attackers are casting a wide net and are just looking at what catches on.

Malicious intent

The campaign also seems to be lacking personalization in terms of the phishing email itself. Proofpoint says all of the emails are going out from the same address - Jenny@gsd[.]com - the same address that was seen in malware campaigns as early as January 2023. In the body of the email, the victim is told to view the document in the attachment, and nothing more. 

The attachment is a .ZIP archive with a .EXE file that, if triggered, drops LockBit 3.0. Interestingly enough, the ransomware locks the device down locally, and does not try to worm itself through any networks. This might limit its encryption potential, but also prevents any network detections and blocks. 

LockBit is a known ransomware-as-a-service, with different versions circulating around the darknet. Among the most popular versions are LockBit 2.0 and LockBit Green. This version, LockBit 3.0 (LockBit Black) was allegedly created in early summer of 2022, by some of the ransomware’s affiliates. 

Earlier this year, a team of international law enforcement agencies engaged in a major campaign that disrupted LockBit’s infrastructure, seized many devices and plenty of cryptocurrencies extorted over the years - but since no arrests were made, LockBit re-emerged roughly a week later. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.