Evolved ProLock Ransomware Threat Intel Advisory

Summary

CloudSEK Threat Intelligence Advisory on ProLock Ransomware, previously PwndLocker malware, Mitre ATT&CK, IOCs, and preventive measures.
ProLock ransomware, previously PwndLocker, was released in March of 2020 with advanced capabilities. This evolved ransomware had begun operating in the latter part of 2019 and was primarily responsible for the attack targeting ATM manufacturer Diebold Nixdorf and the US state of Illinois. It first encrypts files with the RSA-2048 algorithm, modifies filenames, and then creates a ransom message. The ransomware then appends the ".proLock" extension to filenames of all encrypted files. ProLock ransomware operators gain access to hacked networks via the Qakbot (Qbot) info-stealer botnet, which is in turn capable of spreading across networks. Unprotected RDP servers also facilitate the intrusion.  In the past, ProLock has targeted multiple sectors including construction, finance, healthcare, and legal. The malware was also used in attacks aimed at US government agencies and industrial entities. For exfiltration, ProLock operators use a legitimate computer program - Rclone - command-line tool capable of copying and syncing files to and from different cloud storage providers, such as OneDrive, Google Drive, Mega, etc. The executable is always renamed to resemble legitimate system binaries. The operator’s ransom demands range from $175,000 to more than $660,000 worth of Bitcoins (Fig.1).  
Ransom Note from ProLock ransomware
Fig.1 Ransom Note

Impact

Microsoft’s task automation and configuration management framework PowerShell is used to extract the binary from a PNG or a JPG file and inject it into the memory. ProLock kills processes from the embedded list and stops services, including security-related ones like CSFalconService, using the net stop command. Then it utilizes the Vssadmin Windows process to remove volume shadow copies and limit their size, to make sure that no new copies are created (fig.2).
Removing Volume Shadow Copies ProLock ransomware
Fig2. Removing Volume Shadow Copies

Mitre ATT&CK Mapping

 
Tactic
Technique
Initial Access External Remote Services (T1133), Spearphishing Attachment (T1193), Spearphishing Link (T1192)
Execution  Powershell (T1086), Scripting (T1064), User Execution (T1204), Windows Management Instrumentation (T1047)
Persistence  Registry Run Keys / Startup Folder (T1060), Scheduled Task (T1053), Valid Accounts (T1078)
Defense Evasion Code Signing (T1116), Deobfuscate/Decode Files or Information (T1140), Disabling Security Tools (T1089), File Deletion (T1107), Masquerading (T1036), Process Injection (T1055)
Credential Access  Credential Dumping (T1003), Brute Force (T1110), Input Capture (T1056)
Discovery  Account Discovery (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Service Scanning (T1046), Network Share Discovery (T1135), Remote System Discovery (T1018)
Lateral Movement  Remote Desktop Protocol (T1076), Remote File Copy (T1105), Windows Admin Shares (T1077)
Collection  Data from Local System (T1005), Data from Network Shared Drive (T1039), Data Staged (T1074)
Command and Control  Commonly Used Port (T1043), Web Service (T1102)
Exfiltration  Data Compressed (T1002), Transfer Data to Cloud Account (T1537)
Impact  Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490)
 

IOCs / Hashes / URLs

  1. http://185.212.128.8/j078.exe
  2. http://185.212.128.8/j080.exe
  3. http://185.212.128.8/q109.exe
  4. http://185.212.128.8/B/
  5. b262b1b82e5db337d367ea1d4119cadb928963896f1aff940be763a00d45f305
  6. 2f0e4b178311a260601e054b0b405999715084227e49ff18a19e1a59f7b2f309
  7. a6ded68af5a6e5cc8c1adee029347ec72da3b10a439d98f79f4b15801abd7af0
  8. 18661f8c245d26be1ec4df48a9e186569a77237f424f322f00ef94652b9d5f35
  9. dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178
  10. e2a961c9a78d4c8bf118a0387dc15c564efc8fe9
  11. 4f125d890a8f98c9c7069b0bb2b5625c7754fad6
  12. 81d5888bb8d43d88315c040be1f51db6bb5cf64c
  13. 0ce3614560e7c1ddbc3b8f56f3e45278de47d3bb
  14. 9cae5fcefc8bc9b748b4b16549e789e27ae816df
  15. a037439ad7e79dbf4a20664cf10126c93429e350
  16. 3355ace345e98406bdb331ccad568386
  17. c579341f86f7e962719c7113943bb6e4

Preventive Measures

  1. Create a backup for your most important files, on a regular basis
  2. Personalize your anti-spam settings
  3. Patch and update your software and system
  4. Ensure that your Windows Firewall is turned on and properly configured 
  5. Disable Windows Script Host 
  6. Disable Windows PowerShell, which is a task automation framework
  7. Disable macros and ActiveX
  8. Use strong passwords to avoid brute-force attacks
  9. Block known-malicious IP addresses
  10. Use proper antivirus, one that does not allow unwanted execution
  11. Do not click on suspicious links
  12. Spread awareness about such threats among users

Table of Contents

Request an easy and customized demo for free