Those who keep tabs on ransomware are no doubt aware of the Black Basta ransomware group. They’ve gained their share of notoriety since some of the group’s malicious code was first detected back in April of 2022.

No one wants to get coal in their stocking, but it does happen. Unfortunately, your stocking is a computer, and bad guys are delivering the coal in the form of Ransomware.

Phorpiex as a malware family has been around for several years and hasn't changed much in purpose, functionality, or code from the older samples we discovered. The primary goal is Phorpiex is to spread emails, either with or without attached files and attempt to brute force SMTP credentials.

In early April of 2018 we noticed a spike in malicious activity, sourced mostly from the Asias and delivered via SMTP. This post covers our exploration of the campaign and the eventual realization that it is responsible for distributing a mix of garden variety malware, including GandCrab ransomware.

Unfortunately, it appears that ransomware authors are now starting to employ the use of Microsoft Office DDE malware carriers. This post will likely be our last on DDE dissection and covers the delivery of Vortex ransomware, seemingly targeted towards Poland. You can continue this research path using our hunt rule: (Microsoft_Office_DDE_Command_Execution.rule) on Virus Total Intelligence (VTI).