ProLock a new ransomware variant has entered the game in recent months and has infiltrated so many system that the FBI and security firms are issuing stark warnings as it continues to propagate.
It is using weak RDP credentials and phishing campaigns to proliferate — common approaches — but using a range of unique defence evasion techniques. Payload is typically hidden inside a BMP or JPG file.
It was first detected in early March and has been used in ransomware campaigns that are demanding six figure sums. Singapore-based security firm Group-IB has warned in recent days that ProLock has already made an impact as it targets financial, government, healthcare, and retail organizations.
One of the variants most notable attacks was against Diebold Nixdorf: a major ATM provider.
The FBI noted in a flash security alert this week that: “ProLock actors gain initial access to victim networks through phishing emails, Qakbot, improperly configured remote desktop protocol, and stolen login credentials for networks with single-factor authentication.”
The Qakbot mention is a sophisticated piece of malware, it’s essentially a banking Trojan, but it uses a number of tools to hide its tracks while it steals credentials and self-propagates.
(Group-IB notes that ProLock ” checks for the newest version of itself, and replaces the current version with the new one. Executable files are signed with a stolen or fake signature. The initial payload, downloaded by PowerShell, is stored on the server with a PNG extension. What’s more, is that it’s replaced with the legitimate file calc.exe after execution.”)
Groub-IB found in their research that: “Once privileged credentials are obtained, ProLock operators start network discovery activities. They include, but are not limited to, port scanning and Active Directory reconnaissance.”
Once in a system ProLock collects data from the network and then locks all system files as it attaches a ransom note to each.
Consistent Deployment and FBI Warning
As early as March the FBI has been warning that it has received notifications from an array of US organisations that have been the subject of ProLock infections.
In its flash security alert the FBI noted that the ransomware variant ProLock has been used to infect systems belonging to healthcare and retail organisations, as well as government institutions.
Hackers are cashing in on the pandemic and weakened system as Microsoft Threat Protection Intelligence Team noted a significant uptick in attacks at the beginning of April.
That research found that that the initial compromise of these systems happened months ago, indicating that cyber criminals were biding time waiting for the right moment to cash in on compromised systems, they stated that this is “in stark contrast to attacks that deliver ransomware via email—which tend to unfold much faster, with ransomware deployed within an hour of initial entry”.