Friday, January 15, 14:01
Home security ProLock ransomware: Everything you need to know about this threat

ProLock ransomware: Everything you need to know about this threat

ProLock ransomware

From the beginning of the year, a new ransomware gang called ProLock has targeted large Companies and government networks, encrypting significantly archives and asking for huge sums of money.

ProLock seems to be the last ransomware gang to adopt the approach "big-game hunting“'. This means that attacks big and important goals who have the financial ability to give the huge sums of money they ask for hackers.

System administrators who manage these large networks are more likely to encounter a attack from ProLock ransomware.

Here's some important information you need to know about this ransomware that both Group-IB and Sophos as well as the FBI.

ProLock ransomware: Get started

The ProLock gang began its attacks in late 2019. Initially, the group was known as PwndLocker. When, however, it made a major code upgrade, the gang changed its name to ProLock (March 2020). The code change was made when security researchers found a bug in the original PwndLocker and released a free one. tool decryption.


Security researchers have observed that in most cases ProLock ransomware was being developed on networks that were previously infected with the Qakbot trojan.

The Qakbot trojan is usually distributed through spam emails or installed as Second-stage payload on computers that were previously infected with trojan Emotet. The system administrators who find these two malware, they should isolate the systems and control their networks, as the ProLock gang may be preparing to attack them.

ProLock ransomware

How does it spread?

However, the ProLock gang usually buys access to a single computer infected with Qakbot and not in all networks. For this reason, the hackers they need to extend their access from this access point to other nearby computers to do as much damage as possible.

This method is called "lateral movement”And there are several ways to use it.

According to Group-IB, hackers are using Windows vulnerability CVE-2019-0859 to access infected computers, at administrator level. Next, they develop the tool MimiKats to steal credentials from the infected system.

Depending on what he finds, the ProLock gang can use these credentials to move to a network through RDP, SMB or via the local domain controller.

Finally, the WMIC to install the actual ransomware on all the compromised servers, at which point the encryption of the files of the victims.


All attacks using the "lateral movement" method they are not automated. There is at least one person handling them.

ProLock ransomware manages to infect a large number of computers, as the people who operate it try to cause as much damage as possible to as many systems as possible.

Group-IB says this tactic allows the group to claim large sums of money from victims, most of whom face prolonged downtime if they decide to restore internal networks.

"The fact that the average ransom requirements range from 35 to 90 Bitcoin (approximately $ 400.000 to $ 1.000.000) confirms the adoption of the big-game hunting approachSaid Group-IB.

The amounts requested by the specifics hackers is below the average ($ 1,8 million) of some other gangs, which also follow the big-game hunting approach. However, attacks with ProLock ransomware have been gradually increasing in recent months. For example, Group-IB recently identified one attack, to which the gang requested 225 Bitcoin, which is about 2,3 million dollars.

Some of the victims of the group are the ATM manufacturer Diebold Nixdorf, the city Novi Sad in Serbia and Lasalle County in Illinois.

Payment of ransom

The FBI emphasizes that the victims they do not have to pay the ransom, as the ProLock decryption tool does not always work and usually fails to decrypt larger files.

Victim data leak

Researchers have observed that data of ProLock ransomware victims have been exposed on the internet. These victims were Companies who decided not to pay the ransom.

Unlike other gangs, ProLock operators have not set up their own leak site. They prefer to expose stolen data to hacking forums or send them to journalists via email.

ProLock seems to be the first ransomware gang to use Qakbot as a starting point, but most of the other tactics are the same as those used by other teams following the "big-game hunting" approach.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!


Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...

Facebook: Sues Chrome extensions developers for data theft

Facebook has filed a lawsuit against two Portuguese nationals for developing Chrome extensions that collected data from Facebook users.

Cisco does not fix 74 bugs in RV routers that have reached their EOL

Cisco said yesterday that it will not release firmware updates to fix 74 vulnerabilities that have been reported in ...

Hacker commits new crimes while waiting for his release!

A Kosovo hacker was pardoned after his conviction. The hacker provided personally identifiable information over 1.000 ...

Nintendo rules out Game & Watch video hacking

Two copyright claims against a YouTuber have been filed by Nintendo, for a video showing hacking of Super Mario ...

The number of reported CVEs increased by 6%!

According to a new analysis released on the level and volume of vulnerabilities in 2020, the total number of CVEs ...

Google: Removed 164 apps that featured out-of-context ads

Google removed 164 Android applications from the official Play Store, after security researchers discovered that the specific apps were bombarding them ...

Britain: Loss of 150.000 police records from a database

Some 150.000 police records have been deleted from its database as a result of a technical problem, according to the British government.