This month, security experts and law enforcement turned their attention to the ProLock cryptographer, who recently attacked one of the largest ATM manufacturers, Diebold Nixdorf.
Group-IB specialists dedicated Malvari big report. They say that the ransomware appeared in March 2020 and is the successor to the PwndLocker malware, active since the end of 2019 (the malware was renamed to ProLock after experts Emsisoft found a way to decrypt PwndLocker files). ProLock attacks most commonly target financial and medical organizations, government agencies, and the retail sector.
Group-IB researchers write that ProLock operators use two main malvari distribution vectors: the QakBot Trojan (Qbot) and unprotected RDP servers with weak passwords.
And if everything is clear with hacking RDP servers, then using QakBot is a very interesting distribution vector. Previously, this trojan was associated with another family of encryptors, MegaCortex, but now it is used by ProLock operators.
As a rule, QakBot itself spreads through phishing campaigns. A phishing email may contain an attached Microsoft Office document or a link to a malicious file located in the cloud, for example, Microsoft OneDrive. Also known are cases of loading QakBot with another trojan, Emotet, which is widely known for participating in campaigns that distributed the Ryuk ransomware.
After downloading and opening the infected document, the user is asked to allow macros to be executed; if successful, PowerShell is launched, which will allow the QakBot payload to be loaded and launched from the command server.
Also a warning about ProLock this month was released and FBI specialists. They explain that the cryptographer seems to be manually controlled by operators, that is, it is installed in the networks of compromised organizations manually, and not automatically.
Hacker groups often hack or buy access to a hacked network of a company from other attackers. They take the compromised host under control and then use it for lateral distribution over the network. Encryption agents are deployed after this, in manual mode, when the attackers maximize their access.
This is how ProLock operators use Qakbot. This is not a unique case: previously, experts found that the Ryuk and Maze ransomware often appear on computers previously infected with the TrickBot Trojan, and the DopplePaymer ransomware goes hand in hand with the Dridex malware. At the same time, it remains unclear whether ProLock was created by the same authors as Qakbot, or whether ProLock operators buy access to infected Qakbot hosts and work with another hack group.
The FBI also warned that the data decryption tool that the attackers themselves provide ProLock victims often does not work correctly and does not help save the information, even if the ransom was paid.
“The decryptor could potentially corrupt files larger than 64 MB and damage the integrity of the file by about 1 byte for every 1 KB for files over 100 MB,” the FBI warns.