The NJCCIC’s email security solution detected a new LockBit campaign dubbed LockBit Black. This campaign was also reported to the NJCCIC via incident reports and observed by information-sharing and analysis centers. The emails in this campaign contain malicious ZIP attachments and were seen using the same sender email address,
“JennyBrown3422[@]gmail[.]com,” and “Jenny[@]gsd[.]com.”

The ZIP attachment contains a compressed executable payload that, if executed, will encrypt the operating system with LockBit Black ransomware. Observed instances associated with this campaign were accompanied by the Phorpiex (Trik) botnet, which delivered the ransomware payload. Over 1,500 unique sending IP addresses were identified, many of which were geolocated to Kazakhstan, Uzbekistan, Iran, Russia, China, and other countries. Identified IPs hosting LockBit executables were 193[.]233[.]132[.]177 and 185[.]215[.]113[.]66. Subject lines included “your document” and “photo of you???”. All associated emails were blocked or quarantined.

Recommendations

• Participate in security awareness training to provide a strong line of defense and identify red flags in potentially malicious communications.
• Use strong, unique passwords and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Keep systems up to date and apply patches after appropriate testing.
• Install endpoint security solutions to help protect against malware.
• Utilize monitoring and detection solutions to identify suspicious login attempts and user
  behavior.
• Implement email filtering solutions, such as spam filters, to help block messages. The New Jersey Email Authorization & Authentication Set Up PDF and the Sender Policy Framework – SPF Guide NJCCIC products provide information on establishing DMARC authentication.
• Ransomware mitigation techniques and recommendations are available in the Ransomware: The Current Threat Landscape and the Ransomware: Risk Mitigation Strategies NJCCIC products. Phishing emails and other malicious cyber activity can be reported to the FBI’s IC3 and the NJCCIC.