ProLock seems to be the last ransomware gang to adopt the approach "big-game hunting“'. This means that attacks big and important goals who have the financial ability to give the huge sums of money they ask for hackers.
System administrators who manage these large networks are more likely to encounter a attack from ProLock ransomware.
ProLock ransomware: Get started
The ProLock gang began its attacks in late 2019. Initially, the group was known as PwndLocker. When, however, it made a major code upgrade, the gang changed its name to ProLock (March 2020). The code change was made when security researchers found a bug in the original PwndLocker and released a free one. tool decryption.
Security researchers have observed that in most cases ProLock ransomware was being developed on networks that were previously infected with the Qakbot trojan.
The Qakbot trojan is usually distributed through spam emails or installed as Second-stage payload on computers that were previously infected with trojan Emotet. The system administrators who find these two malware, they should isolate the systems and control their networks, as the ProLock gang may be preparing to attack them.
How does it spread?
However, the ProLock gang usually buys access to a single computer infected with Qakbot and not in all networks. For this reason, the hackers they need to extend their access from this access point to other nearby computers to do as much damage as possible.
This method is called "lateral movement”And there are several ways to use it.
According to Group-IB, hackers are using Windows vulnerability CVE-2019-0859 to access infected computers, at administrator level. Next, they develop the tool MimiKats to steal credentials from the infected system.
Depending on what he finds, the ProLock gang can use these credentials to move to a network through RDP, SMB or via the local domain controller.
Finally, the WMIC to install the actual ransomware on all the compromised servers, at which point the encryption of the files of the victims.
All attacks using the "lateral movement" method they are not automated. There is at least one person handling them.
ProLock ransomware manages to infect a large number of computers, as the people who operate it try to cause as much damage as possible to as many systems as possible.
Group-IB says this tactic allows the group to claim large sums of money from victims, most of whom face prolonged downtime if they decide to restore internal networks.
"The fact that the average ransom requirements range from 35 to 90 Bitcoin (approximately $ 400.000 to $ 1.000.000) confirms the adoption of the big-game hunting approachSaid Group-IB.
The amounts requested by the specifics hackers is below the average ($ 1,8 million) of some other gangs, which also follow the big-game hunting approach. However, attacks with ProLock ransomware have been gradually increasing in recent months. For example, Group-IB recently identified one attack, to which the gang requested 225 Bitcoin, which is about 2,3 million dollars.
Some of the victims of the group are the ATM manufacturer Diebold Nixdorf, the city Novi Sad in Serbia and Lasalle County in Illinois.
Payment of ransom
The FBI emphasizes that the victims they do not have to pay the ransom, as the ProLock decryption tool does not always work and usually fails to decrypt larger files.
Victim data leak
Researchers have observed that data of ProLock ransomware victims have been exposed on the internet. These victims were Companies who decided not to pay the ransom.
Unlike other gangs, ProLock operators have not set up their own leak site. They prefer to expose stolen data to hacking forums or send them to journalists via email.
ProLock seems to be the first ransomware gang to use Qakbot as a starting point, but most of the other tactics are the same as those used by other teams following the "big-game hunting" approach.