What is ProLock?
Discovered by PeterM, ProLock is a rebranded version of PwndLocker ransomware. This ransomware encrypts files with the RSA-2048 algorithm, modifies filenames, and creates a ransom message. ProLock appends the “ .proLock, .pr0Lock or .proL0ck” extension to the filenames of all encrypted files.
Research shows that it appends this extension several times, which might also indicate that it encrypts files several times. It creates ransom messages in the “[HOW TO RECOVER FILES].txt” files, which victims can find in folders that contain encrypted data.
On march, the FBI issued a security alert about this ransomware named ProLock, that has been deployed in intrusions at healthcare organizations, government entities, financial institutions, and retail organizations.
In the case of ProLock, the FBI says this group gains entry to hacked networks via the Qakbot (Qbot) trojan.
Intrusion, lateral movement and data exfiltration may contain a manual component, where a character interacts with the compromised systems, locally available tools, and installed malware in order to gain the necessary access. The security provider Group-IB published an informative post that covers many of these aspects.
The FBI and Group-IB state that the initial intrusion was usually performed through:
- Phishing emails
- Poorly configured remote desktop protocol (RDP) access
- Stolen login credentials
ProLock operators used two main vectors of initial access: QakBot (Qbot) and unprotected Remote Desktop Protocol (RDP)-servers with weak credentials.
The latter is a fairly common technique among ransomware operators. This kind of access is usually bought from a third party but may be obtained by group members as well.
Prolock Decrypter is not employed as programmed, reported by the FBI – “The decryption key or ‘decryptor’ provided by the attackers upon paying the ransom has not routinely executed correctly”.
The FBI says that the decrypter may sometimes need to be modified to work correctly, incurring additional costs from lost business to organizations where “The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB.”
FBI issued a second flash alert about ProLock ransomware stealing data in a few months.
The ransomware operators used to upload the stolen data to cloud storage platforms, including OneDrive, Google Drive, and Mega. Threat actors employed the Rclone cloud storage sync command-line tool.
The FBI recommended the victims of the ProLock ransomware, not to pay the ransom in order the decrypt their files instead to notify the authorities if attacked.
- Regular backup of data on offline storage, make sure that the data can be accessed if required
- Educate employees and aware of the phishing attack, to be careful with any mail from unknown account and the attachment in it
- Use 2 factor authentication wherever possible
- Avoid re-using passwords and usage of same name/value of account name
- Make sure operating system and other third-party software is kept up to date.
- There is no guarantee that you’ll get anything in return even if you pay the ransom but inform authorities
Indicators of Compromise – IOC’s
- Vhash – 01403f7d0d1bza!zAuthentihashe3fbb2acbd59496981553d9d906b342d8aeaa6c80aabdb62b020f90ae559cace
We need to ensure organization’s are taking adequate actions to block the available IOC’s on their security devices to contain and montior !!!