Millions of Messages Disseminate LockBit Black Ransomware

What happened 

Beginning April 24, 2024 and continuing daily for about a week, Proofpoint observed high-volume campaigns with millions of messages facilitated by the Phorpiex botnet and delivering LockBit Black ransomware. This is the first time Proofpoint researchers have observed samples of LockBit Black ransomware (aka LockBit 3.0) being delivered via Phorphiex in such high volumes. The LockBit Black sample from this campaign was likely built from the LockBit builder that was leaked during the summer of 2023.  

Messages were from “Jenny Green” with the email address of Jenny@gsd[.]com. The emails contained an attached ZIP file with an executable (.exe). This executable was observed downloading the LockBit Black payload from Phorpiex botnet infrastructure.  

From: “Jenny Green” jenny@gsd[.]com 
Subject: Your Document 
Attachment: Document.zip 

Example message from ”Jenny Green.” 

The emails targeted organizations in multiple verticals across the globe and appeared to be opportunistic versus specifically targeted. While the attack chain for this campaign was not necessarily complex in comparison to what has been observed on the cybercrime landscape so far in 2024, the high-volume nature of the messages and use of ransomware as a first-stage payload is notable.  

The attack chain requires user interaction and starts when an end user executes the compressed executable in the attached ZIP file. The .exe binary will initiate a network callout to Phorphiex botnet infrastructure. If successful, the LockBit Black sample is downloaded and detonated on the end user’s system where it exhibits data theft behavior and seizes the system, encrypting files and terminating services. In an earlier campaign, the ransomware was directly executed, and no network activity was observed, preventing network detections or blocks. 

LockBit Black sample ransom note. 

Attribution 

Proofpoint Threat Research has not attributed this campaign to a known threat actor. Phorpiex is a basic botnet designed to deliver malware via high-volume email campaigns. It operates as a Malware-as-a-Service and has garnered a large portfolio of threat actor customers over more than a decade of operation (earlier versions were first observed on the threat landscape circa 2011). Since 2018, the botnet has been observed conducting data exfiltration and ransomware delivery activities. Despite disruption efforts throughout the years, the botnet persists.  

Proofpoint has observed a cluster of activity using the same “Jenny Green” alias with lures related to “Your Document” delivering Phorpiex malware in email campaigns since at least January 2023.  

LockBit Black (aka LockBit 3.0) is a version of LockBit ransomware that was officially released with upgraded capabilities by the ransomware affiliates in June 2022. In September 2022, the confidential ransomware builder was leaked via Twitter. At the time, multiple parties claimed attribution, but LockBit affiliates claimed the builder was leaked by a disgruntled developer. The leak allows anyone to adopt the configuration for customized versions.  

Why it matters 

Ransomware as a first-stage payload attached to email threat campaigns is not something Proofpoint has observed in high volumes since before 2020, so the observation of a LockBit Black sample in email threat data on this global scale is highly unusual. Additionally, this campaign has been particularly notable due to the high volume of messages in the millions per day, volumes not commonly observed on the landscape. The number of messages and cadence associated with recently observed LockBit Black campaigns are at a volume not seen in malspam since Emotet campaigns. 

The LockBit Black builder has provided threat actors with access to proprietary and sophisticated ransomware. The combination of this with the longstanding Phorpiex botnet amplifies the scale of such threat campaigns and increases chances of successful ransomware attacks. This campaign is another good example of how the threat landscape continues to change, underscored by recurring and significant shifts and pivots in the tactics, techniques, and procedures (TTPs) used by threat actors.  

Example Emerging Threat (ET) signatures 

  • 2022050     ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 
  • 2022051     ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 
  • 2016141     ET INFO Executable Download from dotted-quad Host 
  • 2853272     ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound 
  • 2848295     ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 

Sample indicators of compromise

Indicator Description First Seen 
Jenny Green <Jenny@gsd[.]com> Sender address 2023-2024 
Jenny Brown <JennyBrown3422@gmail[.]com> Sender address 2024-04- 29 
Photo of you??? Subject 2024-04-29 
Your Document Subject 2023- 2024  
01cd4320fa28bc47325ccbbce573ed5c5356008ab0dd1f450017e042cb631239 SHA256 
Document.doc.scr 
2024-04-29 
7bf7dfc7534aec7b5ca71d147205d2b8a3ce113e5254bb342d9f9b69828cf8ee SHA256 
Document.zip 
2024-04-29 
ddbc4908272a1d0f339b58627a6795a7daff257470741474cc9203b9a9a56cd6 SHA256 
Document.doc.scr 
2024-04-29 
6de82310a1fa8ad70d37304df3002d25552db7c2e077331bf468dc32b01ac133 SHA256 
Document.zip 
2024-04-24 
86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498 SHA256 
Document.doc.scr 
2024-04-24 
13916d6b1fddb42f3146b641d37f3a69b491f183146e310aa972dd469e3417bf SHA256 
Document.zip 
2024-04-24 
062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1 SHA256 
Document.doc.scr 
2024-04-25 
1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2 SHA256 
Document.doc.scr 
2024-04-25 
dec445c2434579d456ac0ae1468a60f1bad9f5de6c72b88e52c28f88e6a4f6d0 SHA256 
Document.doc.scr 
2024-04-25 
263a597dc2155f65423edcee57ac56eb7229bdf56109915f7cb52c8120d03efb SHA256 
PIC0502024.jpg.scr 
2024-04-29 
a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616 SHA256 
lbb.exe 
2024-04-29 
0cc54ffd005b4d3d048e72f6d66bcc1ac5a7a511ab9ecf59dc1d2ece72c69e85 SHA256 
Document.doc.scr 
2024-04-29 
f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4 SHA256 
Document.doc.scr 
2024-04-26 
874d3f892c299a623746d6b0669298375af4bd0ea02f52ac424c579e57ab48fd SHA256 
Document.zip 
2024-04-26 
185.215.113[.]66 Payload Delivery IP 2023-2024 
193.233.132[.]177 Payload Delivery IP 2024-04-29 

Source: Original Post