ProLock ransomware, previously PwndLocker, was released in March of 2020 with advanced capabilities. This evolved ransomware had begun operating in the latter part of 2019 and was primarily responsible for the attack targeting ATM manufacturer Diebold Nixdorf and the US state of Illinois. It first encrypts files with the RSA-2048 algorithm, modifies filenames, and then creates a ransom message. The ransomware then appends the “.proLock” extension to filenames of all encrypted files.
ProLock ransomware operators gain access to hacked networks via the Qakbot (Qbot) info-stealer botnet, which is in turn capable of spreading across networks. Unprotected RDP servers also facilitate the intrusion.
In the past, ProLock has targeted multiple sectors including construction, finance, healthcare, and legal. The malware was also used in attacks aimed at US government agencies and industrial entities. For exfiltration, ProLock operators use a legitimate computer program – Rclone – command-line tool capable of copying and syncing files to and from different cloud storage providers, such as OneDrive, Google Drive, Mega, etc. The executable is always renamed to resemble legitimate system binaries. The operator’s ransom demands range from $175,000 to more than $660,000 worth of Bitcoins (Fig.1).
Microsoft’s task automation and configuration management framework PowerShell is used to extract the binary from a PNG or a JPG file and inject it into the memory. ProLock kills processes from the embedded list and stops services, including security-related ones like CSFalconService, using the net stop command. Then it utilizes the Vssadmin Windows process to remove volume shadow copies and limit their size, to make sure that no new copies are created (fig.2).
Mitre ATT&CK Mapping
|Initial Access||External Remote Services (T1133), Spearphishing Attachment (T1193), Spearphishing Link (T1192)|
|Execution||Powershell (T1086), Scripting (T1064), User Execution (T1204), Windows Management Instrumentation (T1047)|
|Persistence||Registry Run Keys / Startup Folder (T1060), Scheduled Task (T1053), Valid Accounts (T1078)|
|Defense Evasion||Code Signing (T1116), Deobfuscate/Decode Files or Information (T1140), Disabling Security Tools (T1089), File Deletion (T1107), Masquerading (T1036), Process Injection (T1055)|
|Credential Access||Credential Dumping (T1003), Brute Force (T1110), Input Capture (T1056)|
|Discovery||Account Discovery (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Service Scanning (T1046), Network Share Discovery (T1135), Remote System Discovery (T1018)|
|Lateral Movement||Remote Desktop Protocol (T1076), Remote File Copy (T1105), Windows Admin Shares (T1077)|
|Collection||Data from Local System (T1005), Data from Network Shared Drive (T1039), Data Staged (T1074)|
|Command and Control||Commonly Used Port (T1043), Web Service (T1102)|
|Exfiltration||Data Compressed (T1002), Transfer Data to Cloud Account (T1537)|
|Impact||Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490)|
IOCs / Hashes / URLs
- Create a backup for your most important files, on a regular basis
- Personalize your anti-spam settings
- Patch and update your software and system
- Ensure that your Windows Firewall is turned on and properly configured
- Disable Windows Script Host
- Disable Windows PowerShell, which is a task automation framework
- Disable macros and ActiveX
- Use strong passwords to avoid brute-force attacks
- Block known-malicious IP addresses
- Use proper antivirus, one that does not allow unwanted execution
- Do not click on suspicious links
- Spread awareness about such threats among users