ProLock ransomware, following its predecessor PwndLocker, has been observed demanding ransoms in the six-figure range. And several new enhancements in ProLock indicate that its developers aim to continue its development in the future as well.
What happened
ProLock ransomware, which first emerged in March 2020, has been observed getting enhancements to further sharpen its attacks. ProLock has now paired up with QakBot banking trojan for network intrusion.
In May 2020, ProLock operators enhanced it to use two new vectors for initial access. Firstly, it uses QakBot (Qbot), which provides persistence, anti-detection, and credential-dumping capabilities. Secondly, it targets unprotected Remote Desktop Protocol (RDP) servers with weak credentials to infect several victims.
In April 2020, the intruders installed the ProLock ransomware on the corporate network of Diebold Nixdorf, a major provider of Automatic Teller Machines (ATMs) and payment technology for banks and retailers.
For its attacks, ProLock uses Windows Management Instrumentation Command (WMIC) to run commands on affected hosts and AdFind to query Active Directory in addition to a wide variety of scripts. It also checks for the newest version of itself and replaces the current version with the new one.
What experts say
According to a Group-IB report, attackers have already made an impact with ProLock being deployed in intrusions at healthcare organizations, government entities, financial institutions, and retail organizations.
The FBI has issued a security alert that even after paying the ransom, ProLock decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte/1KB over 100 ..
Support the originator by clicking the read the rest link below.
