Expert On Phorpiex Botnet Spreading A New Ransomware Campaign Via Phishing Emails

We have detected a small number of threats in our customers’ environments that we believe are related to the Phorpiex botnet. However, it certainly was not the second most prevalent threat—or even a prevalent threat at all—in the environments we monitored in June. This disparity is probably the result of our different perspectives into the threat landscape. We have a deep level of visibility into our customers’ endpoints, so we only see Phorpiex or Avaddon activity after it starts interacting with a computer or a server in one of our customers’ environments. By contrast, Check Point offers and manages many products that operate at the network level. An email security or firewall product, for example, might observe and block activity emanating from the Phorpiex botnet before it ever touches a traditional endpoint. In other words, Check Point is able to obtain evidence of attempted infections in places where an endpoint security solution simply will not look. While we haven’t seen this particular botnet delivering this specific strain of ransomware in high volumes, we do see a lot of threats leveraging fundamentally similar techniques to achieve initial access. Phorpiex sends out spam email messages containing malicious .zip files. If a user unzips one of these malicious attachments, the ransomware payload will then begin the process of encrypting files on the affected endpoint. If an email filter, firewall, or other preventive control fails to block a malicious email attachment emanating from Phorpiex or any other botnet for that matter, then it is incumbent on the recipient of that email to recognize it as suspicious and not open it. However, if you’re taking a defense-in-depth approach to security, then you’ll have had a number of opportunities to block this threat before it reaches an employee endpoint or to prevent it from successfully executing. Further, if you’ve got broad detective controls and you’ve followed best practices around backing up the endpoints in your environment, then you should be able to limit the impact of a ransomware infection even if an employee accidentally opens a malicious attachment.  Read Less

Educating users is one way to help stop these types of attacks but, as we too often see, users will always be the weakest link in any organisation's security posture. Too often these type of malware and phishing attacks breach defences, so what organisations really need is the ability to proactively detect and respond to abnormal user behaviour in a fast and scalable way, thus removing the human element completely. Furthermore, as we see more advanced malware, it is critical to give security teams the visibility into the user behaviour to quickly spot what isn’t 'normal’ and take steps to remediate this type of attack before it causes real harm to the organisation.  Read Less