ProLock Ransomware Description
The ProLock Ransomware is a newly spotted data-encrypting Trojan that is circulating the Web and looking for victims. Ransomware threats are among the nastiest threats one may have to deal with. These Trojans would infiltrate your machine, locate your files, encrypt them, and then extort you for money.
ProLock earned its name from how it changes the file extension of infected files to “.ProLock”. Research shows the virus attaches the new file extension several times to individual files, which suggests files are encrypted multiple times. Instructions on how to restore files are found in the ransom note placed in infected folders and on the desktop.
The ransom note tells victims they can restore their files if they pay the ransom. The instructions on how to do that are in the note, including a link to a Tor website. The Tor website has information about a bitcoin wallet victims can send bitcoins to receive their decryption key. The current price for a decryption key is 60 bitcoins, but this price can change, and individual victims may be given individual ransoms. What matters is that it is obvious decryption is impossible without the key.
Victims are told to pay the ransom quickly, or they run the risk of losing the key, which hackers only keep for a month. Hackers also claim they stole sensitive information, and they will share it if the ransom goes unpaid. With attacks like this, the only people who can undo the damage caused by the ransomware are the people who created it. Unfortunately, there are no guarantees that they will send the decryption key if they receive their payment. Security experts say that you should never pay a ransom. It may be possible to restore lost files using a backup or using data recovery tools.
ProLock Propagation and Encryption Methods
It’s unclear how ProLock ransomware spreads right now. Experts suggest it could be distributed using vulnerable Remote Desktop Protocol (RDP) utilities such as TeamViewer. It’s also possible that it spreads through other conventional infection methods such as pirated software and email phishing campaigns.
ProLock targets all kinds of files, including documents, images, and videos. The ransomware will encrypt almost every file outside of system files. It’s clear a system is infected because it changes the file extension of those infected files. A file called “ABC.doc” would be renamed to “ABC.doc.ProLock”.
Some experts believe that the ProLock Ransomware may be distributed with the help of vulnerable RDP (Remote Desktop Protocol) utilities like the TeamViewer application. However, it is not unlikely that other infection vectors may be at play too – bogus pirated copies of popular software tools, mass spam email campaigns, malvertising, etc. It is highly likely that the ProLock Ransomware threat is programmed to go after many various filetypes - .pdf, .doc, .docx, .xls, .xlsx, .png, .jpg, .jpeg, .mp3, .mp4, .mov, .ppt, .pptx, .rar, .gif and many others. This means that it is unlikely that any data stored on your computer will be spared. The ProLock Ransomware applies a secure encryption algorithm to lock the targeted files. Users whose systems have been compromised by the ProLock Ransomware will notice that the names of their files have been altered. This is due to the fact that the ProLock Ransomware appends an additional extension at the end of the names of the encrypted files – ‘.ProLock.’ This means that a file, which was named ‘small-paw.jpg’ prior to the attack taking place, will be renamed to ‘small-paw.jpg.ProLock’ after the completion of the encryption process.
ProLock Ransom Note and Demands
After encrypting files, the ransomware places a ransom note into infected folders and on the desktop. The ransom note explains that the encryption was done through RSA-2048 encryption, and it is impossible to break. They also say that the decryption key will get deleted after a month if the victim doesn’t send the payment. Last but not least, they say the ransom will be less if people respond sooner rather than later.
The threat actors behind the attack can be contacted through their website. The website can only be accessed through Tor. The note also includes an email address where victims can contact the attacker.
In the next phase of the attack, the ProLock Ransomware drops a ransom note on the compromised computer. The message of the attackers can be found in a file named ‘[HOW TO RECOVER FILES].txt.’ The creators of the ProLock Ransomware claim to be using the RSA-2048 encryption algorithm. The attackers state that if the victim does not comply with their demands within one month, their decryption key will be deleted and they will be unable to recover their data. They also claim that the ransom fee depends on how quickly the victim manages to get in touch with them. The authors of the ProLock Ransomware prefer to be contacted via their website, which is only accessible through the Tor Web browser, as it is located on the Deep Web. They also have provided an email address where victims can contact them.
The ransom note reads:
Your files have been encrypted by ProLock Ransomware using RSA-2048 algorithm.
[.:Nothing personal just business:.]
No one can help you to restore files without our special decryption tool.
To get your files back you have to pay the decryption fee in BTC.
The final price depends on how fast you write to us.
1. Download TOR browser: hxxps://www.torproject.org/
2. Install the TOR Browser.
3. Open the TOR Browser.
4. Open our website in the TOR browser: msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion
5. Login using your ID -
***If you have any problems connecting or using TOR network:
contact our support by email firstname.lastname@example.org
[You'll receive instructions and price inside]
The decryption keys will be stored for 1 month.
We also have gathered your sensitive data.
We would share it in case you refuse to pay.
Decryption using third party software is impossible.
Attempts to self-decrypting files will result in the loss of your data.
You should never hand over your money. There’s no guarantee that the hacker will give you the decryption key they promise. Many ransomware victims go on to become scam victims. It’s best to maintain a trusted antivirus program and keep regular backups of your data. That way, you always have a backup and don’t need to worry about data loss.