Security Experts Issue Jenny Green Email Warning For Millions | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Security experts working with the Proofpoint threat research team have warned that an email campaign comprising millions of messages a day has been observed distributing a direct LockBit 3.0, also known as LockBit Black, ransomware payload. The messages, all purporting to come from a sender called Jenny Green, were facilitated by the Phorpiex botnet and have the same ‘Your Document’ subject.

ForbesFBI Issues Advisory As Hackers Strike: Email Admins Do This 1 Thing Now

Millions Of Jenny Green Emails Flag Global Ransomware Campaign

Although using a botnet to distribute emails as part of a malware-as-a-service operation is not unusual, “ransomware as a first-stage payload attached to email threat campaigns is not something Proofpoint has observed in high volumes since before 2020,” Proofpoint’s Sarah Sabotka and Bryan Campbell said. That millions of emails have been sent using the Jenny Green address and containing a LockBit Black ransomware, on a global scale, is highly unusual according to the researchers. Indeed, the sheer daily volume of this ransomware campaign is not commonly observed either, according to Proofpoint.

Analyzing The Jenny Green Emails

The emails, which all come from the same Jenny (at) address, contain a compressed Zip file with an executable that downloads the LockBit Black ransomware from the Phorpiex botnet. The targeting of this campaign appears scattergun and opportunistic, which means anyone could be at risk of finding a dangerous Jenny Green email in their inbox.

Although Proofpoint has observed this botnet being involved with ransomware and data exfiltration activity since 2018, despite law enforcement efforts to disrupt it, the latest LockBit Black campaign started on April 24, 2024. It’s the first time that the researchers have seen this ransomware sample distributed by Phorpiex in such volume.

Using a relatively simple attack chain, which requires user interaction to execute the attached Zip file, LockBit Black is “downloaded and detonated” directly on the end user’s system, encrypting files, exfiltrating data and terminating services. “The number of messages and cadence associated with recently observed LockBit Black campaigns,” the researchers said, “are at a volume not seen in malspam since Emotet campaigns.”

ForbesFBI Issues New Warning As 2024 Gift Card Hackers Blitz Retailers

Who Is Behind The Jenny Green Emails?

Proofpoint Threat Research has not been able to attribute the Jenny Green ransomware campaign to any known threat actor. The fact that the Phorpiex botnet is a pretty basic one, designed simply to deliver malware through such high-volume email campaigns, doesn’t help illuminate the matter. Indeed, as a successful malware-as-a-service operation for many years, Phorpiex has what Proofpoint describes as “a large portfolio of threat actor customers.”

What we do know is that a cluster of Jenny Green alias activity has been observed in various email campaigns since January 2023. The LockBit Black ransomware payload doesn’t help narrow it down either, given that it’s a version of LockBit 3.0 that was released in June 2022 but with the ransomware builder code being leaked via Twitter the same September. “The leak allows anyone to adopt the configuration for customized versions,” Proofpoint has said.

Mitigation Advice

If you don’t know anyone called Jenny Green or are not expecting a document from someone called Jenny Green, delete the email upon receipt and certainly do not try and open the attached file. If you do know a Jenny Green, there’s one more warning sign to look out for: Proofpoint says that all the emails are from a Jenny (at) gsd (dot) com address.


Click Here For The Original Source.


National Cyber Security