ProLock Ransomware Gains Access to Victim Networks via Qakbot Infections

ProLock ransomware, following its predecessor PwndLocker, has been observed demanding ransoms in the six-figure range. And several new enhancements in ProLock indicate that its developers aim to continue its development in the future as well.

What happened

ProLock ransomware, which first emerged in March 2020, has been observed getting enhancements to further sharpen its attacks. ProLock has now paired up with QakBot banking trojan for network intrusion.
  • In May 2020, ProLock operators enhanced it to use two new vectors for initial access. Firstly, it uses QakBot (Qbot), which provides persistence, anti-detection, and credential-dumping capabilities. Secondly, it targets unprotected Remote Desktop Protocol (RDP) servers with weak credentials to infect several victims.
  • In April 2020, the intruders installed the ProLock ransomware on the corporate network of Diebold Nixdorf, a major provider of Automatic Teller Machines (ATMs) and payment technology for banks and retailers.
  • For its attacks, ProLock uses Windows Management Instrumentation Command (WMIC) to run commands on affected hosts and AdFind to query Active Directory in addition to a wide variety of scripts. It also checks for the newest version of itself and replaces the current version with the new one.

What experts say

  • According to a Group-IB report, attackers have already made an impact with ProLock being deployed in intrusions at healthcare organizations, government entities, financial institutions, and retail organizations.
  • The FBI has issued a security alert that even after paying the ransom, ProLock decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte/1KB over 100MB.

Connection with PwndLocker Ransomware

Before rebranding itself, the PwndLocker ransomware was highly active in the wild. It aimed at businesses and organizations with high ransom demands. Here is how it evolved into ProLock:
  • In March 2020, PwndLocker had targeted the networks of U.S. cities, enterprises, businesses, and local governments with ransom demands ranging from $175,000 to over $660,000 depending on the size of the network.
  • In the same month, PwndLocker ransomware had hacked servers of the ‘Novi Sad’ city administration, public services in the ‘JKP Informatika’ government agency, and also hundreds of computers at the LaSalle County government offices.
  • In the same month, a weakness was discovered in the PwndLocker ransomware, which allowed Emsisoft to create and release a free decryptor for victims to get their files back without paying the ransom.
  • To keep its business going, PwndLocker ransomware operators fixed a cryptography bug that had allowed the creation of a free decryptor and rebranded itself as the ProLock Ransomware.

Safety first

Users should maintain regular up-to-date backups to avoid damage from ransomware infections. Update systems and software with relevant patches. Employ content scanning and filtering on their mail servers to scan for known threats and block any attachment types that could pose a threat.