Expert On Phorpiex Botnet Spreading A New Ransomware Campaign Via Phishing Emails

By   ISBuzz Team
Writer , Information Security Buzz | Jul 15, 2020 02:55 am PST

It has been reported that a notorious botnet campaign activity has increased over the past months via phishing emails. The cybersecurity expert provides an insight below.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Jeff Felling
Jeff Felling , Principal Intelligence Analyst
July 16, 2020 8:18 pm

We have detected a small number of threats in our customers’ environments that we believe are related to the Phorpiex botnet. However, it certainly was not the second most prevalent threat—or even a prevalent threat at all—in the environments we monitored in June.

This disparity is probably the result of our different perspectives into the threat landscape. We have a deep level of visibility into our customers’ endpoints, so we only see Phorpiex or Avaddon activity after it starts interacting with a computer or a server in one of our customers’ environments. By contrast, Check Point offers and manages many products that operate at the network level. An email security or firewall product, for example, might observe and block activity emanating from the Phorpiex botnet before it ever touches a traditional endpoint. In other words, Check Point is able to obtain evidence of attempted infections in places where an endpoint security solution simply will not look.

While we haven’t seen this particular botnet delivering this specific strain of ransomware in high volumes, we do see a lot of threats leveraging fundamentally similar techniques to achieve initial access. Phorpiex sends out spam email messages containing malicious .zip files. If a user unzips one of these malicious attachments, the ransomware payload will then begin the process of encrypting files on the affected endpoint. If an email filter, firewall, or other preventive control fails to block a malicious email attachment emanating from Phorpiex or any other botnet for that matter, then it is incumbent on the recipient of that email to recognize it as suspicious and not open it.

However, if you’re taking a defense-in-depth approach to security, then you’ll have had a number of opportunities to block this threat before it reaches an employee endpoint or to prevent it from successfully executing. Further, if you’ve got broad detective controls and you’ve followed best practices around backing up the endpoints in your environment, then you should be able to limit the impact of a ransomware infection even if an employee accidentally opens a malicious attachment.

Last edited 3 years ago by Jeff Felling
Dan Panesar
Dan Panesar , Director UK & Ireland
July 15, 2020 11:03 am

Educating users is one way to help stop these types of attacks but, as we too often see, users will always be the weakest link in any organisation\’s security posture. Too often these type of malware and phishing attacks breach defences, so what organisations really need is the ability to proactively detect and respond to abnormal user behaviour in a fast and scalable way, thus removing the human element completely. Furthermore, as we see more advanced malware, it is critical to give security teams the visibility into the user behaviour to quickly spot what isn’t \’normal’ and take steps to remediate this type of attack before it causes real harm to the organisation.

Last edited 3 years ago by Dan Panesar

Recent Posts

Would love your thoughts, please comment.x