FBI issued a second flash alert about ProLock ransomware stealing data, four months after the first advisory published by the feds on the same threat.
The FBI has issued the 20200901-001 Private Industry Notification about ProLock ransomware stealing data on September 1st. The fresh alert is the second one related to this threat, the first one (MI-000125-MW Flash Alert) was published on May 4th, 2020.
At the time, Feds warned that the decryptor for the ProLock was not correctly working and using it could definitively destroy the data. The descriptor could corrupt files larger than 64MB during the decryption process.
The human-operated PwndLocker ransomware first appeared in the threat landscape in late 2019, operators’ demands have ranged from $175,000 to more than $660,000 worth of Bitcoin.
According to the FBI, operators behind the threat gain access to hacked networks via the Qakbot (Qbot) trojan, but experts from Group-IB added that they also target unprotected Remote Desktop Protocol (RDP)-servers with weak credentials. It is still unclear if the ProLock ransomware was managed by the Qakbot gang, or if the ProLock operators pay to gain access to hosts infected with Qakbot to deliver their malware.
“ProLock operators used two main vectors of initial access: QakBot (Qbot) and unprotected Remote Desktop Protocol (RDP)-servers with weak credentials.” reads a report published by Group-IB.
“The latter is a fairly common technique among ransomware operators. This kind of access is usually bought from a third party but may be obtained by group members as well.”
In March, threat actors behind PwndLocker changed the name of their malware to ProLock, immediately after security firm Emsisoft released a free decryptor tool.
The ProLock ransomware was employed in attacks against organizations worldwide from multiple sectors including construction, finance, healthcare, and legal. The malware was also used in attacks aimed at US government agencies and industrial entities.
The ransomware operators used to upload the stolen data to cloud storage platforms, including OneDrive, Google Drive, and Mega. Threat actors employed the Rclone cloud storage sync command-line tool.
The FBI is recommending victims of ransomware attacks to avoid paying the ransom to decrypt their files and immediately report attacks to the authorities.
The FBI also provides recommendations to mitigate the risks associated with ransomware attacks, such as periodically back up the data to an off-line backup system, keep any software up to date, disable unused RDP accesses, use of two-factor authentication (2FA) wherever possible.