Query Details
Lock Bit Black Ransomware
Query
// LockBit Black Ransomware (Phorpiex botnet) KQL Detect // https://www.linkedin.com/posts/activity-7196135968318353408-SN3l/ // Proofpoint has observed Phorpiex botnet sending millions of phishing emails to deliver LockBit Black ransomware beginning April 24, 2024 and continuing daily for about a week. I just checked my Defender and indeed I received 81 of them but they were all stop by my antimalware policy block by file type. You may want to check if you are impacted and any slipped through your defense. // Security Brief: Millions of Messages Distribute LockBit Black Ransomware // https://lnkd.in/dAmupJ6n DefenderXDR KQL: EmailEvents | where Timestamp > ago(30d) | where SenderDisplayName == "Jenny Green" or SenderFromAddress == "[email protected]" or SenderFromAddress =="[email protected]" | summarize Count=count() by LatestDeliveryAction
Explanation
This KQL (Kusto Query Language) query is designed to detect potential phishing emails related to the LockBit Black ransomware, which is being distributed by the Phorpiex botnet. Here's a simplified breakdown of the query:
- Data Source: The query is looking at
EmailEvents, which contains records of email activities. - Time Frame: It filters the events to only include those from the past 30 days (
Timestamp > ago(30d)). - Sender Filtering: It specifically looks for emails sent by "Jenny Green" or from the email addresses "[email protected]" or "[email protected]".
- Summarization: The query then counts the number of these emails and groups them by their
LatestDeliveryAction(e.g., delivered, blocked, etc.).
In essence, this query helps identify if any emails from specific suspicious senders related to the LockBit Black ransomware campaign have been received and what actions were taken on them (e.g., blocked or delivered).
Details
Steven Lim
Released: August 2, 2024
Tables
EmailEvents
Keywords
EmailEvents
Operators
ago>|where==orsummarizecountby