Elite CIO Logo

BECOME MEMBER
Back

ProLock Ransomware

  • By Elite CIO
  • Date Aug 13, 2020
  • Quotes11

ProLock Ransomware is a newly identified “human-operated” file-encrypting windows strain.

It has been reported that a new ransomware, dubbed, "ProLock" isspreading. This is a successor of PwndLocker ransomware strain that emerged inthe late 2019. The ransomware affects organizations of various sectorsincluding government, financial, retail and heath care organizations.

Initial access andinfection mechanism:

ProLock obtains the access of victim’s network in severalways but the main vectors of initial access are: improperly configured RDPservers with weak credentials and QakBot (Qbot) Trojan. While the earliervector is common among various malware attacks, the QakBot Trojan is one tonote which is affiliated with MegaCortex ransomware and loaded via Emotetmalware in erstwhile campaigns. The use of QakBot by the ProLock operators may beseen as a collaboration among threat actors to utilize the skill-set ofmultiple teams.

QakBot is typically distributed via phishing emails whichmay contain attachments of weaponized Microsoft Office documents or just linksto such documents that are located on cloud storage – Microsoft OneDrive, forexample. When the weaponized document is downloaded and opened, maliciousmacros enabled. Then, PowerShell is launched; and download and run the QakBotpayload from the command-and-control (C2) server. ProLock payload is extractedfrom a BMP or JPG file, and is loaded into memory with PowerShell. Sometimes ascheduled task is used to run PowerShell.

schtasks.exe /CREATE /XML C:\Programdata\WinMgr.xml /tnWinmgr

schtasks.exe /RUN /tn WinMrg

del C:\Programdata\WinMgr.xml

del C:\Programdata\run.bat

QakBot trojan armed the ransomware with increased capabilitysuch as keylogging and also able to download and run additional scripts like"Invoke-Mimikatz" (a PowerShell version of Mimikatz) for credentialdumping. Through this tactic, the malware operators can siphon off privilegedcredentials and then use these for network discovery activities such as portscanning and Active Directory reconnaissance. Attackers also use"AdFind" to query Active Directory.

ProLock then uses RDP to move laterally across network andcollect data for exfiltration by using a command-line tool "Rclone" thatis capable of synching files to and from different cloud storage providers(such as OneDrive, Google Drive, Mega, etc.). The ransomware tries to shut downmore than 150 services linked to enterprise applications, security software,and backups by using net.exe. (For the full list of targeted services andprocesses, please visit the URLs given in "IOC" below.) ProLockdeletes the shadow copies of local files using vssadmin.exe to preventrecovery.

While making the guarding factors out of the way, theransomware starts encrypting the files which are more than 8192 bytes andappend extension .proLock, .pr0Lock or .proL0ck extension to each encryptedfile and drops a text file named [HOW TO RECOVER FILES].TXT to each foldercontaining ransom note and other instructions.

For complete list,please refer

https://github.com/sophoslabs/IoCs/blob/master/Ransomware-ProLock.csv

BTC Wallet Address:

1LVLHAs4Vq9Yt9nHvvrgw9djtA7BiR8sKM (for incident responseonly, do not pay ransom)

Detection:

Win32:Evo-gen [Susp]

Trojan.Peed.Gen

Trojan:Win32/Wacatac.D!ml

Countermeasures andBest practices for prevention:

Users are advised to disable their RDP if not in use, ifrequired, it should be placed behind the firewall and users are to bind withproper policies while using the RDP.

Install ad blockers to combat exploit kits such as Falloutthat are distributed via malicious advertising.

All operating systems and applications should be keptupdated on a regular basis. Virtual patching can be considered for protectinglegacy systems and networks. This measure hinders cybercriminals from gainingeasy access to any system through vulnerabilities in outdated applications andsoftware. Avoid applying updates / patches available in any unofficial

channel.

Restrict execution of Power shell /WSCRIPT in an enterpriseenvironment. Ensure installation and use of the latest version of PowerShell,with enhanced logging enabled. Script block logging and transcription enabled.Send the associated logs to a centralized log repository for monitoring andanalysis.

https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

Establish a Sender Policy Framework (SPF) for your domain,which is an email validation system designed to prevent spam by detecting emailspoofing by which most of the ransomware samples successfully reaches thecorporate email boxes.

Application whitelisting/Strict implementation of SoftwareRestriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP%paths. Ransomware sample drops and executes generally from these locations.

Don't open attachments in unsolicited e-mails, even if theycome from people in your contact list, and never click on a URL contained in anunsolicited e-mail, even if the link seems benign. In cases of genuine URLsclose out the e-mail and go to the organization’s website directly throughbrowser.

Block the attachments of file types,exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf

Consider encrypting the confidential data as the ransomwaregenerally targets common file types.

Perform regular backups of all critical information to limitthe impact of data or system loss and to help expedite the recovery process.Ideally, this data should be kept on a separate device, and backups should bestored offline.