ProLock Ransomware

ProLock Ransomware..

Sept 15, 2020

is increasing it's ransom amount as well as victim count

After a failed start in 2019 as PwndLocker, which had a bug that allowed it's victims to get their data back without having to pay the ransom, the creators of the ransomware fixed the bug in their system and brought back a new version under the name ProLock.

Armed with a new program that did not have the fatal flaw of the first version, ProLock operators have been able to deploy a large number of attacks over the past 6 months, averaging a victim a day.

The group behind ProLock targets enterprise-level networks, for which the ransom that they ask for can be anywhere from $175,000 to more than $660,000.

With their increase in activity as well as victim count they've increased the ransom to sometimes as much as $1.8 million.

Partnerships in the ransomware business pay off, ProLock partnered with QBot, a banking Trojan.

How they enter your systems:

Most instances of ProLock ransomware can be traced back to a spear phishing email with a malicious Office document that delivers the QBot Trojan, oftentimes via replies in hijacked emailed threads.

Once in the victim's computer, the Trojan makes changes to the Windows Registry to make sure that it's not spotted by active defenses. After that registry change, it scans the network and begins to move to other computers or servers in the networks and infects them as well.

Despite using standard tools, ProLock attacks remain largely undetected on the network, giving them time to prepare the file encryption stage and steal data.

Prevention:

The best way to still prevent any type of ransomware is to always be careful when opening emails, even if you believe that the email is from a trusted source, it never hurts to double-check the sender address, as spoofing has become more and more common. If you see an email that looks suspicious and you'd like a second opinion on it, you can always contact our help desk and we can connect to your computer, check the email and verify the sender. If we do find the email to be a phishing email or from a domain known for malicious use, we can always assist in blocking the sender or domain.


Spoofing:

Spoofing is when malicious email senders pretend to be someone within your organization, while the name and email might look like the same one from your coworker, once you do a deep check on the email you can find the actual email address.

Spear phishing :

An attack that uses spoofing on normally just 1 user or organization, making it seem like you're getting emails from users within your organization, oftentimes being from higher-level staff within the company, asking for users to review an infected Office document.

If you have any questions please call into our helpdesk line or send us an email at info@tekleap.com