After warning the public about how dangerous ProLock can be in May 2020, in the first week of September, the FBI has issued a second warning about the ransomware threat. The warning is mostly aimed at large private or government organizations. The operators of ProLock have historically gone after such targets. Large organizations are more likely to have the resources to pay a huge ransom and ProLock is known to have ransom demands sometimes reaching more than $2 million.
ProLock is relatively new to the ransomware scene first emerging in late 2019. At that time, the cybercriminals were using a different name - PwndLocker. This changed in March 2020 after security experts had found a flaw in PwndLocker’s code. The bug was significant enough to allow experts to come up with a free decrypter. This prompted the creation of a new version that came with new code and a new name - ProLock.
ProLock is a human operated threat and the cybercriminals running ProLock used to take advantage of system configuration flaws or stolen credentials to gain access to networks. At some point around May 2020, ProLock started working with QakBot aka Qbot. QakBot started out as a banking trojan and like most banking trojans evolved into a powerful malware delivery system. Partnering with QakBot was a big step for the ProLock cybercriminals because QakBot gave a huge boost to the number of infected networks.
Human Operated Ransomware
In the interest of accuracy, ProLock’s operators are likely gaining access to a single infected machine and then moving laterally in the network the machine is on. This is the usual tactic for human operated threats as it allows the cybercriminals to find the most sensitive information and plan their attack so it does the most damage possible.
While individuals are extremely unlikely to encounter ProLock, security specialists at organizations of all types must be on the lookout for this threat. After the upgrade and name change, ProLock’s encryption can’t be undone without the help of its operators. Even worse, ProLock attacks are often accompanied by data exfiltration that can be devastating to organizations. On top of that, ProLock’s decrypter has historically been unreliable. Decrypting large files has failed on numerous occasions. On the bright side, if an organization is prepared and has deployed sufficient defenses against ransomware and other threats, ProLock doesn’t have any unusual or unexpected ways to compromise their network.