What’s Up With ProLock Ransomware?

News on ransomware attacks is not an oddity anymore. We have been facing quite a lot of it during this pandemic season. However, there is something different about ProLock.

The scoop

ProLock is a descendant of the PwndLocker ransomware strain that saw the light of day in 2019. ProLock emerged this year in March and was found to have an unusual way of decrypting files with the decryptor provided to victims.

What’s so unusual about it?

  • In May, a warning was issued by the FBI regarding faulty decryptors received by the victims who had paid the ransom demanded by the attackers.
  • Files smaller than 8,192 bytes are not encrypted while files larger than that are encrypted after the first 8,192 bytes, thereby resulting in partially encrypted files.
  • The ProLock program does not allow debugging, making it difficult for researchers to run it in a controlled manner.

Why do they do it?

  • Monitoring access to the start of each file is an effectual way to spot unauthorized changes.
  • Several file types can be guessed with good accuracy from the first few bytes, so various type-guessing tools only read in a few kilobytes at most to run much faster.
  • To give you a false sense of security.

How do they do it?

  • Some ProLock victims have been infected through scripts run by the QakBot banking trojan.
  • Other methods of intrusion include improperly configured RDP servers, phishing emails, and remote access connections over RDP with stolen credentials.

The takeaway

Ransomware attacks have been creating mayhem in our lives for quite some time now, and ProLock is no different. There are various ways to prevent an organization from getting hit by ransomware. One of the most important steps is to protect remote network access by putting RDP access behind a VPN and using Multi-Factor Authentication (MFA).