FlagThis

The Phorpiex botnet, previously known for spam and cryptocurrency mining, has been observed distributing LockBit Black ransomware, also known as LockBit 3.0. This new attack vector signifies a significant shift in the botnet's operations, now focusing on automated ransomware deployment through compromised websites and phishing emails. The malicious activity begins with phishing emails that contain malicious SCR files. When these files are executed, they establish a connection with a command-and-control server, download the LockBit binary, and execute the ransomware payload to begin file encryption.

Unlike traditional ransomware tactics that involve human operators and attempts at lateral movement within a network, this variant focuses on immediate execution of LockBit, reducing the attack's footprint and making it harder to detect. Phorpiex and LockBit employ various anti-detection strategies, such as deleting URL caches, obfuscating function calls, removing Zone.Identifier metadata, and modifying the Windows registry, all to ensure the ransomware runs automatically. This shift highlights the increasing trend of botnets being used as a tool for ransomware attacks.

ImgSrc: www.cybereason.com

References:

• cyberpress.org - Phorpiex botnet Host on Hacked Website to Launch LockBit Ransomware on Windows - 22d
• securityonline.info - Phorpiex Botnet Now Deploying LockBit Ransomware in Automated Attacks - 22d
• @VirusBulletin - Cybereason's Mahadev Joshi & Masakazu Oku investigate the Phorpiex botnet, which has been used to deliver and execute LockBit Black Ransomware (a.k.a. LockBit 3.0). - 22d
• Blog - Cybereason's Mahadev Joshi & Masakazu Oku investigate the Phorpiex botnet, which has been used to deliver and execute LockBit Black Ransomware (a.k.a. LockBit 3.0). - 22d

Classification:

• HashTags: Ransomware Botnet LockBit
• Company: Phorpiex
• Target: Windows Users
• Attacker: Phorpiex
• Product: LockBit Ransomware
• Feature: Ransomware Delivery
• Type: Ransomware
• Severity: Major