Many hackers saw the new Covid 19 pandemic as the perfect opportunity to focus on an already overloaded healthcare sector. ProLock ransomware is another threat added to the list.
The FBI issued a warning earlier this month to alert organizations to the new threat factor, saying its targets in USA include entities in the following areas: healthcare, government, finance and retail.
The FBI does not encourage you to comply with the requirements of any hacker. This would only increase their confidence in continuing such attacks.
With ProLock, the decryptor does not work properly and data will be lost. Files larger than 64MB may be corrupted during the decryption process.
Losing 1 byte per 1KB is possible with files over 100MB and extra work may be required for the decryptor to work properly. This issue will increase the downtime of an organization even if they comply with the hacker's requirements.
Malware launched as PwndLocker in late 2019, but has made a name for itself by targeting businesses and local governments, adjusting the ransom requirements to the size of the compromised network.
After a bug that allowed free decryption was fixed, PwndLocker appeared as ProLocker in March and its activity began to escalate.
According to a recent report by cybersecurity Group-IB, ProLock partnered with QakBot banking trojan to gain access to victims' networks. This probably contributed to the rise of this ransomware.
Trojan doesn't install this ransomware family, but runs a script to let hackers invade the victims' network so they can map it and move sideways. The payload is extracted from a BMP or JPG file named WinMgr and loaded into memory.
Like other ransomware operators, ProLock spends little time on the victim network looking for high-value and important systems. data for theft. The information is sent using Rclone a command line tool for synchronization with various storage services in cloud.
The ransom demand after the encryption comes with the threat that the data of the victims will be circulated on public websites and social media, unless payment is made for decryption.
Other methods include the incorrectly configured Remote Desktop Protocol (RDP). For networks with one-factor authentication, o hacker uses stolen login details.
Once input, ProLock operators make sure they leave no options for recovering files without payment. If found backups and shadow copies, either deleted or encrypted.
With ransom claims between $ 175.000 and over $ 660.000, ProLock is as serious a threat as other, more infamous ransomware families like Maze, Sodinokibi, Ryuk or LockerGoga, who are considered top employees in the ransomware business.