A study from Group-IB reveals the modus operandi of the newly discovered ProLock’s ransomware attack.
A new type of ransomware attack emerged in recent months, raising red flags among the cybersecurity community and authorities such as the FBI in the United States. Cybersecurity firm Group-IB has warned that it comes in the form of a Trojan, according to a report published on May 17.
According to Group-IB’s study, the ransomware is known as ProLock and relies on the Qakbot banking trojan to launch the attack and asks the targets for six-figure USD ransoms paid out in BTC to decrypt the files.
The roster of victims includes local governments, financial, healthcare and retail organizations. Among them, the attack that Group-IB considers the most notable was against ATM provider Diebold Nixdorf.
35 BTC as the total payment in a ProLock attack
The FBI detailed that the ProLock attack initially gains access to victim networks through phishing emails that often deliver Microsoft Word documents. Qakbot then interferes with configuring a remote desktop protocol and steals login credentials for systems with single-factor authentication.
According to Group-IB, the ransomware attacks ask for a total payment of 35 BTC — worth $337,750 as of press time. However, a Bleeping Computer study shows that ProLock demands an average of $175,000 to $ 660,000 per attack, depending on the size of the targeted network.
Speaking with Cointelegraph, Brett Callow, threat analyst at malware lab Emsisoft, explained some details about this new cyber threat:
“ProLock is unusual in that it is written in assembly and deployed using Powershell and shellcode. The malicious code is stored in either XML, video, or image files. Notably, the ProLock decryptor supplied by the criminals does not work correctly and corrupted data during the decryption process.”
Callow added that although Emsisoft developed a decryptor to recover victims’ data affected by ProLock without loss, such software does not remove the need for the ransom to be paid as it relies on the key supplied by the criminals.
ProLock doesn’t leak the stolen data
Although the techniques used by ProLock operators are similar to those of known ransomware groups that filter stolen data like Sodinokibi and Maze, Group-IB clarified the following:
“Unlike their peers, though, ProLock operators still don’t have a website where they publish exfiltrated data from companies that refuse to pay the ransom.”
Latest ransomware attacks
Cointelegraph has reported several ransomware attacks in recent weeks.
Ransomware group Maze claimed on May 19 to have hacked United States egg producer Sparboe, leaking preliminary information on a website to prove that they committed the attack.
A ransomware gang called REvil recently threatened to release almost 1TB of private legal secrets from the world’s biggest music and movie stars, such as Lady Gaga, Elton John, Robert DeNiro, Madonna, among others.