View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

ProLock, a New Ransomware Variant, Hitting Firms for 6 Figure Sums

Yet another ransomware strain emerges...

By CBR Staff Writer

ProLock a new ransomware variant has entered the game in recent months and has infiltrated so many system that the FBI and security firms are issuing stark warnings as it continues to propagate.

It is using weak RDP credentials and phishing campaigns to proliferate — common approaches — but using a range of unique defence evasion techniques. Payload is typically hidden inside a BMP or JPG file.

It was first detected in early March and has been used in ransomware campaigns that are demanding six figure sums. Singapore-based security firm Group-IB has warned in recent days that ProLock has already made an impact as it targets financial, government, healthcare, and retail organizations.

One of the variants most notable attacks was against Diebold Nixdorf: a major ATM provider.

The FBI noted in a flash security alert this week that: “ProLock actors gain initial access to victim networks through phishing emails, Qakbot, improperly configured remote desktop protocol, and stolen login credentials for networks with single-factor authentication.”

The Qakbot mention is a sophisticated piece of malware, it’s essentially a banking Trojan, but it uses a number of tools to hide its tracks while it steals credentials and self-propagates.

(Group-IB notes that ProLock ” checks for the newest version of itself, and replaces the current version with the new one. Executable files are signed with a stolen or fake signature. The initial payload, downloaded by PowerShell, is stored on the server with a PNG extension. What’s more, is that it’s replaced with the legitimate file calc.exe after execution.”)

Content from our partners
The growing cybersecurity threats facing retailers
Cloud-based solutions will be key to rebuilding supply chains after global stress and disruption
How to integrate security into IT operations

Groub-IB found in their research that: “Once privileged credentials are obtained, ProLock operators start network discovery activities. They include, but are not limited to, port scanning and Active Directory reconnaissance.”

Once in a system ProLock collects data from the network and then locks all system files as it attaches a ransom note to each.

proLockConsistent Deployment and FBI Warning

 

As early as March the FBI has been warning that it has received notifications from an array of US organisations that have been the subject of ProLock infections.

In its flash security alert the FBI noted that the ransomware variant ProLock has been used to infect systems belonging to healthcare and retail organisations, as well as government institutions.

Hackers are cashing in on the pandemic and weakened system as Microsoft Threat Protection Intelligence Team noted a significant uptick in attacks at the beginning of April.

That research found that that the initial compromise of these systems happened months ago, indicating that cyber criminals were biding time waiting for the right moment to cash in on compromised systems, they stated that this is “in stark contrast to attacks that deliver ransomware via email—which tend to unfold much faster, with ransomware deployed within an hour of initial entry”.

See Also: Hackers Force Supercomputers Offline in Multiple Breaches

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED
THANK YOU