The Threat CodexFeb 25
Apache ActiveMQ Exploit Leads to LockBit Ransomware
#CVE_2023_46604 #LockBitBlack
https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
Apache ActiveMQ Exploit Leads to LockBit Ransomware - The DFIR Report

Key Takeaways An audio version of this report can be found on Spotify, Apple, YouTube, Audible, & Amazon.  This intrusion began in mid-February 2024 after a threat actor exploited a vulnerability (CVE-2023-46604) on an exposed Apache ActiveMQ server. The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring […]

The DFIR Report
Threat InsightMay 13, 2024

Proofpoint researchers have flagged a LockBit Black ransomware campaign with message volume and delivery cadence not seen in malspam since Emotet.

Security brief: https://ow.ly/IcP550RELRF

The unusually high volume campaign was observed sending millions of emails facilitated by the Phorpiex botnet.

We have not attributed this campaign to a known threat actor. #LockBitBlack (aka LockBit 3.0) is based on the LockBit ransomware builder leaked in September 2022, which allows anyone to adopt the #LockBit configuration for customized versions.

The messages, which were sent for about a week beginning April 24, 2024, were from “Jenny Green” Jenny@gsd[.]com and contained an attached ZIP file with an executable (.exe).

If the LockBit Black sample is detonated on the end user’s system, it exhibits data theft behavior and seizes the system, encrypting files and terminating services.

This is a prime example of the recurring and significant shifts in the tactics, techniques, and procedures (TTPs) used by threat actors in today's evolving threat landscape.

Read the full security brief for more campaign details, ET Sigs and IOCs.

Security Brief: Millions of Messages Distribute LockBit Black Ransomware | Proofpoint US

What happened  Beginning April 24, 2024 and continuing daily for about a week, Proofpoint observed high-volume campaigns with millions of messages facilitated by the Phorpiex botnet and delivering...

Proofpoint
Valéry Rieß-Marchive Dec 6, 2022
Les éléments dont je dispose sur la #cyberattaque avec #ransomware contre l'hôpital André Mignot du CH de Versailles suggèrent que l'assaillant a déployé #LockBitBlack... mais qu'il n'est pas affilié à la franchise pour autant.
https://www.lemagit.fr/actualites/252528032/Cyberattaque-au-centre-hospitalier-de-Versailles-la-piste-dun-usurpateur-de-LockBit
Cyberattaque au centre hospitalier de Versailles : la piste d'un usurpateur de LockBit

Le ransomware LockBit 3.0, dit « Black », semble avoir été utilisé contre l’hôpital André-Mignot au Chesnay-Rocquencourt, mais à l'insu de la franchise éponyme. L’offensive aurait été détectée par un EDR, hélas pas bloquée.

LeMagIT.fr