Lock Bit Black Ransomware
Query
// LockBit Black Ransomware (Phorpiex botnet) KQL Detect
// https://www.linkedin.com/posts/activity-7196135968318353408-SN3l/
// Proofpoint has observed Phorpiex botnet sending millions of phishing emails to deliver LockBit Black ransomware beginning April 24, 2024 and continuing daily for about a week. I just checked my Defender and indeed I received 81 of them but they were all stop by my antimalware policy block by file type. You may want to check if you are impacted and any slipped through your defense.
// Security Brief: Millions of Messages Distribute LockBit Black Ransomware
// https://lnkd.in/dAmupJ6n
DefenderXDR KQL:
EmailEvents
| where Timestamp > ago(30d)
| where SenderDisplayName == "Jenny Green"
or SenderFromAddress == "[email protected]"
or SenderFromAddress =="[email protected]"
| summarize Count=count() by LatestDeliveryAction
// MITRE ATT&CK Mapping
// Based on the query, the following MITRE ATT&CK techniques are relevant:
// T1566.001 - Phishing: Spearphishing Attachment:
// The query filters emails based on specific sender details, which could be indicative of spearphishing attempts where an attacker uses a known or trusted sender to deliver malicious content.
// T1071.003 - Application Layer Protocol: Mail Protocols:
// The use of email as a communication channel for potential malicious activity aligns with this technique, where attackers use mail protocols to communicate with their targets.
// T1087.002 - Account Discovery: Email Accounts:
// Filtering by specific email addresses can be related to discovering and targeting specific email accounts within an organization.
// T1114 - Email Collection:
// Summarizing email events by delivery action can help in identifying patterns related to email collection activities, where attackers gather information from email communications.Explanation
This query is designed to detect potential phishing emails related to the LockBit Black ransomware, which is distributed via the Phorpiex botnet. Here's a simple breakdown of what the query does:
-
Data Source: It looks at email events from the past 30 days.
-
Filtering Criteria: The query specifically filters emails that have been sent by certain senders, namely "Jenny Green" or from the email addresses "[email protected]" and "[email protected]". These senders are suspected of being involved in phishing attempts.
-
Summarization: It counts the number of emails from these senders and categorizes them based on the latest delivery action (e.g., blocked, delivered, etc.).
-
Purpose: The goal is to identify and analyze emails that might have been part of a phishing campaign to deliver ransomware, helping organizations understand if they have been targeted and if any emails bypassed their defenses.
-
MITRE ATT&CK Techniques: The query is mapped to several MITRE ATT&CK techniques, indicating its relevance to phishing, use of email protocols, targeting specific email accounts, and collecting email information.
Overall, this query helps security teams identify potential threats from specific phishing campaigns and assess their email security measures.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators