ProLock: A Ransomware Spreading Actively and Demanding Big Ransoms

ProLock ransomware, a rebranded version of PwndLocker, has been active since March 2020. The attackers behind this ransomware began their activity in late 2019 and rebranded PwndLocker after the discovery of a crypto bug in that malware. The ProLock ransomware was recently spotted targeting networks of big firms and governments asking for huge ransom demands.

Top targets of ProLock

The ProLock ransomware gang chases only target big entities for bigger rewards. Its ransom demands have always remained high, ranging between $175,000 and $1.8 million.
  • In a short span of time, the ransomware gang targeted multiple sectors, including healthcare, government, financial, and retail.
  • A recent version of ProLock was found to contain a list of around 150 software products that the malware tries to spot and kill in memory. This includes several enterprise applications, security software, and backup tools.
  • In May, the ransomware gang hit Diebold Nixdorf, a major automatic teller machine (ATM) provider.

Propagation techniques

  • The ransomware uses weak RDP credentials and phishing campaigns to spread, along with unique defense evasion techniques. Its payload is usually hidden inside a BMP or JPG file.
  • For lateral movement, the ransomware uses the CVE-2019-0859 Windows vulnerability to gain administrator-level access. It uses the MimiKatz tool to pilfer credentials from the compromised system.

Recent Team-up with Qakbot

In May, ProLock teamed up with QakBot Trojan to access victims’ networks. After getting access, the ransomware propagates further inside a compromised network to maximize its infections.

Conclusion

The FBI recently issued the second alert about the threat of ProLock ransomware. Looking at the severity of the threat, organizations should regularly patch their operating system and software to stop the exploitation of any known vulnerability by the ransomware.