ProLock Ransomware
In the year, yet another ransomware gang, known as Prolock. It has emerged by hacking into major companies or networks of government departments. Encrypting files, and demanding huge ransoms since the start of the year.
ProLock is the newest ransomware group. which recently ‘big-game hunting’ approach. Big-game shi cars. those that can go after large targets extracting large payments from targets who can afford them.
System administrators are also increasingly likely to see attacks by a particular group of people managing these large networks.
So below is also a summary of all the Prolock activities. The system administrator knows according to reports published by Group-IB, Sophos, and two FBI alerts. Then the Prolock gang started in 2019. They too first appeared under the name PwndLocker. but shortly after a code upgrade. And a new nomenclature of ProLock in March 2020.
The ProLock ransomware was installed on networks. So infecting by the Qakbot Trojan. So All examined cases by security researchers.
Thus, in the past, the Qakbot Trojan was distributed. through e-mail spam campaigns or even dropped as a second-stage payload. Some infected computers compromise with the Emotet Trojan. So the Prolock gang is already roaming about their system. That means the system administrators. who find computers infected with either of these two malware strains ought to be isolated. The system right away and conduct a network audit.
Yet since the Prolock gang usually only purchases rights to access just one infected computer. and not the whole network. So they also have to expand access out from this initial point of entry. To other computers in the vicinity to get maximum damage.
This process is “lateral movement”
And is achieved by the Prolock gang in other ways. According to Group-IB, the threat actor also uses the CVE-2019-0859 Windows vulnerability. To gain administrator-level access to infected hosts. after that deploys the MimiKats tool to dump credentials from infected systems.
Depending on what they find, ProLock gangs might make use of these credentials in their intruders to cross the network or in the background via RDP, SMB, and local domain controllers.
WMIC is used at the last minute to push the actual ransomware onto all compromised hosts, so wherever it encrypts files, it also plays an OS alert tone at the end of the encryption routine
Thus all operations that require running in the background over a network are exposed to the terminal being performed by human operators — and are, therefore, not automated.
As such, a ProLock infection usually infects an enormous number of computers
but ProLock’s human operators also spend their time trying to accomplish as much damage as possible.
Thus, the move positions this group to request very high decryption fees even from victims, who would face long periods of downtime even if they decide to rebuild their internal network.
Even though this sum is less than the average ($1.8 million) for some other big-game hunting ransomware gangs, “Their average ransom demand ranges from 35 to 90 bitcoins (approximately $400,000 to $1,000,000), so this fact only confirms their ‘think big’ strategy, ” Group-IB also said in a private report shared with ZDNet today.
ProLock ransoms keep increasing from month to month. For example, Group-IB, while telling ZDNet, said that another case of Prolock they came across had a ransom amount of 225 bitcoins, which is equivalent to around $2.3 million.
Some of its victims include well-known names the ATM manufacturer Diebold Nixdorf or the city of Novi Sad in Serbia.
Still, this particular ransomware group can cause a lot of damage, so in one of its two advisories, the FBI discouraged organizations from paying the ransom. This is because the ProLock decryptor that the victim gets does not always work as expected – when big files are concerned, decryption mostly fails.
However, ProLock also showed up on some occasions. They exfiltrated the data from the victim networks they infected and whose owners refused to pay.
Whereas other ransomware groups develop dedicated sites where they leak this data, ProLock prefers to dump it on hacking forums or send it to journalists via email.
So, Prolock seems to be the first ransomware gang. That in all other tactics it’s sharing with most of the big-game hunting and human-operating ransomware gangs-so, too, do the protection of networks against Prolock. need. So stick with companies that already take precautions against other ransomware groups.
Leave A Comment