View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

ProLock, a New Ransomware Variant, Hitting Firms for 6 Figure Sums

Yet another ransomware strain emerges...

By CBR Staff Writer

ProLock a new ransomware variant has entered the game in recent months and has infiltrated so many system that the FBI and security firms are issuing stark warnings as it continues to propagate.

It is using weak RDP credentials and phishing campaigns to proliferate — common approaches — but using a range of unique defence evasion techniques. Payload is typically hidden inside a BMP or JPG file.

It was first detected in early March and has been used in ransomware campaigns that are demanding six figure sums. Singapore-based security firm Group-IB has warned in recent days that ProLock has already made an impact as it targets financial, government, healthcare, and retail organizations.

One of the variants most notable attacks was against Diebold Nixdorf: a major ATM provider.

The FBI noted in a flash security alert this week that: “ProLock actors gain initial access to victim networks through phishing emails, Qakbot, improperly configured remote desktop protocol, and stolen login credentials for networks with single-factor authentication.”

The Qakbot mention is a sophisticated piece of malware, it’s essentially a banking Trojan, but it uses a number of tools to hide its tracks while it steals credentials and self-propagates.

(Group-IB notes that ProLock ” checks for the newest version of itself, and replaces the current version with the new one. Executable files are signed with a stolen or fake signature. The initial payload, downloaded by PowerShell, is stored on the server with a PNG extension. What’s more, is that it’s replaced with the legitimate file calc.exe after execution.”)

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Groub-IB found in their research that: “Once privileged credentials are obtained, ProLock operators start network discovery activities. They include, but are not limited to, port scanning and Active Directory reconnaissance.”

Once in a system ProLock collects data from the network and then locks all system files as it attaches a ransom note to each.

proLockConsistent Deployment and FBI Warning


As early as March the FBI has been warning that it has received notifications from an array of US organisations that have been the subject of ProLock infections.

In its flash security alert the FBI noted that the ransomware variant ProLock has been used to infect systems belonging to healthcare and retail organisations, as well as government institutions.

Hackers are cashing in on the pandemic and weakened system as Microsoft Threat Protection Intelligence Team noted a significant uptick in attacks at the beginning of April.

That research found that that the initial compromise of these systems happened months ago, indicating that cyber criminals were biding time waiting for the right moment to cash in on compromised systems, they stated that this is “in stark contrast to attacks that deliver ransomware via email—which tend to unfold much faster, with ransomware deployed within an hour of initial entry”.

See Also: Hackers Force Supercomputers Offline in Multiple Breaches

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.