Campaign Overview
The latest ransomware campaign attributed to the Global Group ransomware gang distributes malicious Windows shortcut (.lnk) files. The campaign follows a similar IBM‑detected operation that delivered the Aware ransomware variant.
Threat actors use the Phorpiex botnet (also known as Trik) to deliver the payloads, a technique that has been observed in campaigns dating back to 2017.
Technical Details of .lnk Exploitation
.lnk files are Windows shortcuts that can execute commands such as cmd.exe or PowerShell directly when clicked, passing hidden arguments without dropping a visible installer.
Key technical characteristics of the current campaign include:
- Use of the previously disclosed CVE‑2025‑9491 vulnerability, which was patched in summer 2025.
- Capability to run entirely offline, allowing infection of air‑gapped systems.
- Embedded anti‑virtualization and anti‑analysis checks that terminate database‑related processes to free file locks for encryption.
- Reliance on the Phorpiex botnet for distribution and command‑and‑control.
Mitigation Strategies
Defending against this and similar ransomware threats requires a layered security approach:
- Patch Management: Ensure all systems are updated, especially applying the fix for CVE‑2025‑9491.
- Endpoint Protection: Deploy solutions that can detect and block malicious .lnk execution and PowerShell abuse.
- Network Segmentation: Isolate critical assets to limit ransomware spread, even in offline environments.
- Security Awareness Training: Educate users to avoid opening unexpected shortcut attachments; move beyond compliance‑only training to a culture‑focused program.
- Incident Response Planning: Maintain up‑to‑date backups and a tested recovery process to reduce downtime after an attack.