Thursday, October 22, 22:37
Home security ProLock ransomware: Everything you need to know about this threat

ProLock ransomware: Everything you need to know about this threat

ProLock ransomware

From the beginning of the year, a new ransomware gang called ProLock has targeted large Companies and government networks, encrypting significantly archives and asking for huge sums of money.

ProLock seems to be the last ransomware gang to adopt the approach "big-game hunting“'. This means that attacks big and important goals who have the financial ability to give the huge sums of money they ask for hackers.

System administrators who manage these large networks are more likely to encounter a attack from ProLock ransomware.

Here's some important information you need to know about this ransomware that both Group-IB and Sophos as well as the FBI.

ProLock ransomware: Get started

The ProLock gang began its attacks in late 2019. Initially, the group was known as PwndLocker. When, however, it made a major code upgrade, the gang changed its name to ProLock (March 2020). The code change was made when security researchers found a bug in the original PwndLocker and released a free one. tool decryption.

Διανομή

Security researchers have observed that in most cases ProLock ransomware was being developed on networks that were previously infected with the Qakbot trojan.

The Qakbot trojan is usually distributed through spam emails or installed as Second-stage payload on computers that were previously infected with trojan Emotet. The system administrators who find these two malware, they should isolate the systems and control their networks, as the ProLock gang may be preparing to attack them.

ProLock ransomware

How does it spread?

However, the ProLock gang usually buys access to a single computer infected with Qakbot and not in all networks. For this reason, the hackers they need to extend their access from this access point to other nearby computers to do as much damage as possible.

This method is called "lateral movement”And there are several ways to use it.

According to Group-IB, hackers are using Windows vulnerability CVE-2019-0859 to access infected computers, at administrator level. Next, they develop the tool MimiKats to steal credentials from the infected system.

Depending on what he finds, the ProLock gang can use these credentials to move to a network through RDP, SMB or via the local domain controller.

Finally, the WMIC to install the actual ransomware on all the compromised servers, at which point the encryption of the files of the victims.

Impact

All attacks using the "lateral movement" method they are not automated. There is at least one person handling them.

ProLock ransomware manages to infect a large number of computers, as the people who operate it try to cause as much damage as possible to as many systems as possible.

Group-IB says this tactic allows the group to claim large sums of money from victims, most of whom face prolonged downtime if they decide to restore internal networks.

"The fact that the average ransom requirements range from 35 to 90 Bitcoin (approximately $ 400.000 to $ 1.000.000) confirms the adoption of the big-game hunting approachSaid Group-IB.

The amounts requested by the specifics hackers is below the average ($ 1,8 million) of some other gangs, which also follow the big-game hunting approach. However, attacks with ProLock ransomware have been gradually increasing in recent months. For example, Group-IB recently identified one attack, to which the gang requested 225 Bitcoin, which is about 2,3 million dollars.

Some of the victims of the group are the ATM manufacturer Diebold Nixdorf, the city Novi Sad in Serbia and Lasalle County in Illinois.

Payment of ransom

The FBI emphasizes that the victims they do not have to pay the ransom, as the ProLock decryption tool does not always work and usually fails to decrypt larger files.

Victim data leak

Researchers have observed that data of ProLock ransomware victims have been exposed on the internet. These victims were Companies who decided not to pay the ransom.

Unlike other gangs, ProLock operators have not set up their own leak site. They prefer to expose stolen data to hacking forums or send them to journalists via email.

ProLock seems to be the first ransomware gang to use Qakbot as a starting point, but most of the other tactics are the same as those used by other teams following the "big-game hunting" approach.

LEAVE ANSWER

Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortresshttps://www.secnews.gr
Pursue Your Dreams & Live!

LIVE NEWS

How to remove Edge tabs from Alt + Tab in Windows 10

Starting with the October 2020 update, Windows 10 now displays Microsoft Edge browser tabs in the Alt + Tab task ...

Patient information is held for ransom by hackers

A company offering psychological support and psychotherapy services to thousands of patients in Finland has fallen victim to hackers. As the company stated, ...

ESafety believes that social media authentication would not be practical

Australian eSafety Commissioner Julie Inman-Grant has dismissed the practice of verifying users' identities on social media.

First beta version of the "1Password" application for Linux

One and a half months after the first rumors about the release of the 1Password application for the Linux desktop, the co-founder of Dave Teare announced now ...

The price of Bitcoin skyrockets after PayPal adds cryptocurrency

The price of Bitcoin reached a very high record on Wednesday, after the announcement of PayPal for the integration of cryptocurrency in the online ...

Dr Reddy is closing its laboratories worldwide following a data breach

The pharmaceutical company Dr Reddy 's Laboratories (DRL) was forced to close its laboratories worldwide, after a data breach that ...

PayPal lets users use cryptocurrency

PayPal on Wednesday announced a new feature that will allow users to buy, store and sell cryptocurrency.

Activists are developing face recognition technology to reveal the identities of police officers

In early September, Portland, Oregon City Council held a virtual meeting to consider legislation that ...

Tesla share rises almost 5%

Tesla's Elon Musk released the results for the third quarter of 2020 on Wednesday. The share rose almost 5% on ...

Account Takeover Attacks: How to Avoid Them?

Account Takeover (ATO) attacks are a form of theft, often used by criminals. The attackers are trying to break into accounts ...