The ProLock: ransomware is spreading actively and demanding big ransoms. Read on to know more about it…
ProLock ransomware, a rebranded version of PwndLocker, has been active since March 2020. The attackers behind this ransomware began their activity in late 2019 and rebranded PwndLocker after the discovery of a crypto bug in that malware. The ProLock ransomware was recently spotted targeting networks of big firms and governments asking for huge ransom demands.
ProLock is relatively new, but already the ransomware is making waves by using QakBot infections to access networks, gain persistence and avoid detection.
ProLock ransomware first emerged in March as a successor to another recent malware strain, PwndLocker, and has made its mark targeting financial, healthcare, government and retail organizations. ProLock’s first big attack targeted major ATM provider Diebold Nixdorf at the end of April.
High Value Targets
The ProLock ransomware gang chases only target big entities for bigger rewards. Its ransom demands have always remained high, ranging between $175,000 and $1.8 million. In a short span of time, the ransomware gang targeted multiple sectors, including healthcare, government, financial, and retail.
A recent version of ProLock was found to contain a list of around 150 software products that the malware tries to spot and kill in memory. This includes several enterprise applications, security software, and backup tools. In May, the ransomware gang hit Diebold Nixdorf, a major automatic teller machine (ATM) provider.
Working Mechanism
The ransomware uses weak RDP credentials and phishing campaigns to spread, along with unique defense evasion techniques. Its payload is usually hidden inside a BMP or JPG file. For lateral movement, the ransomware uses the CVE-2019-0859 Windows vulnerability to gain administrator-level access. It uses the MimiKatz tool to pilfer credentials from the compromised system.
In May, ProLock paired up with the QakBot banking trojan to access victims’ networks. After getting access, the ransomware propagates further inside a compromised network to maximize its infections. ProLock’s leveraging of QakBot gives it bolstered persistence, anti-detection and credential-dumping techniques.
ProLock relies uses unprotected Remote Desktop Protocol (RDP) servers with weak credentials to infect some victims, a fairly common technique for ransomware operators (including Nefilim, Nemty, Crysis and SamSam). However, researchers said that they are more interested in infection vector of QakBot.
Mitigation
Users are advised to disable their RDP if not in use, if required, it should be placed behind the firewall and users are to bind with proper policies while using the RDP. Install ad blockers to combat exploit kits such as Fallout that are distributed via malicious advertising.
All operating systems and applications should be kept updated on a regular basis. Virtual patching can be considered for protecting legacy systems and networks. This measure hinders cybercriminals from gaining easy access to any system through vulnerabilities in outdated applications and software. Avoid applying updates / patches available in any unofficial channel.
Concluding Points
The FBI recently issued the second alert about the threat of ProLock ransomware. Looking at the severity of the threat, organizations should regularly patch their operating system and software to stop the exploitation of any known vulnerability by the ransomware.