10.09.2020

Lock Like a Pro: Dive in Recent ProLock's
Big Game Hunting


Oleg Skulkin
Senior Digital Forensics Analyst at Group-IB
Semyon Rogachev
Malware Analyst at Group-IB
Introduction
On September 4, the FBI issued its second alert in less than six months about ProLock warning companies of the fact that the ransomware operators are stealing data from targeted organizations before encrypting them.

The group, which operates ProLock, is the successor of the PwndLocker ransomware strain, which itself had been active only since October 2019. PwndLocker operators were ambitious from the start; they targeted enterprise networks with ransom demands ranging from the low-to mid-six figures. Despite these early successes, not everything went smoothly. PwndLocker was stopped dead in its tracks after its code was found to contain a bug that let anyone decrypt files without paying the ransom. The threat actors quickly patched it and rebranded their ransomware as ProLock in March 2020.

Following in the footsteps of its predecessor, ProLock has focused on so-called Big Game Hunting. The fact that their ransom demands range anywhere from 35 to 255 Bitcoin (approx. $400,000 to $3,000,000) only confirms their "think big" strategy. As for their area of activity, ProLock operators have so far focused on North America and Europe. Their most infamous known attack was in April on Diebold Nixdorf.

It was not long after ProLock emerged that Group-IB discovered that the new group was using the Qakbot (also known as QBot) banking trojan to obtain initial access and described the ProLock's TTPs. Almost six months on from its debut the group has upgraded its methods. In this post we'll look at some of the recent tactics, techniques, and procedures (TTPs) used by ProLock operators.

For a more in-depth analysis of the attacker's TTPs and the full MITRE ATT&CK® mapping, download Group-IB's Lock Like a Pro: How Qakbot Fuels Enterprise Ransomware Campaigns white paper.
Initial Access
Qakbot is usually distributed via phishing emails, and the campaigns associated with ProLock are no exception. Their phishing emails contain links or attachments, which in most cases are ZIP archives with heavily obfuscated VBScripts. Similar scripts are used as a delivery mechanism for other trojans, such as Dridex and Ursnif.

Another noteworthy aspect of these emails is that they usually involve the thread-hijacking technique. Such emails originate from a compromised account or attacker-controlled system. Since the emails appear to come from a trusted source, it is more likely that the victim will download and click on the malicious VBScript.

The technique used to masquerade such emails is highly effective, yet the content is simple and straightforward:
Figure 1. Example of phishing email body
In some cases, weaponized Office documents are used instead of VBScripts. Such documents include malicious macros that, once enabled, drop a batch file into the %PUBLIC% folder, triggering PowerShell to download and execute a Qakbot payload from one of the compromised websites.

In their most recent campaigns, Qakbot operators added another link to the chain: the notorious Emotet trojan, which has a long history of being involved in Big Game Hunting operations.
Network reconnaissance and lateral movement
Once the adversary has gathered general information about the compromised host and understands that it is located in a domain of interest, Bloodhound was used to collect more detailed information. The output is written to the same folder and is in the form of zipped JSON files — a standard Sharphound (part of Bloodhound) output.

In at least one case, the attackers profiled the compromised network again, just before the ProLock deployment, but this time using another Active Directory reconnaissance tool: ADFind. This could indicate that multiple individuals or teams were working on the same target.

At the same time, Group-IB noticed that the team or individual working on ransomware deployment was closely connected to Qakbot operators. For example, they used PsExec to manually distribute Qakbot throughout the company.

Moreover, this was not the only case when PsExec was used. The attackers also used Remote Desktop Protocol (RDP) for lateral movement. This was not the most effective route, however, as RDP was not available on every host. To overcome this obstacle, they used a batch script to enable it, which was run via PsExec on available hosts.

This was not the only script deployed using PsExec: another example is a Cobalt Strike Beacon stager. Today, many adversaries — especially those involved in Big Game Hunting operations — have this dual-use tool in their arsenals and often use PowerShell one-liners to run stagers. ProLock operators are no exception.

In some cases, ProLock operators used an exploit for the CVE-2019-0859 vulnerability to escalate their privileges on the compromised host. They achieved this by resorting to a separate executable file.

With regard to ProLock distribution, the ransomware can be either dropped by Qakbot or downloaded from an adversary-controlled server using Background Intelligent Transfer Service (BITS).

In some cases, WMIC is also used to execute the script on the remote hosts — a common technique in modern ransomware attacks.
Impact
Before ProLock ransomware is deployed, the threat actors sometimes perform data exfiltration. To do so, they use Rclone, a command-line tool for managing files on cloud storage, which supports a large number of such storage providers. The executable file is usually masqueraded to look like a legitimate file (e.g. svchost.exe). Another preemptive measure involves the threat actors deploying pre-made batch scripts via Group Policy to disable antivirus software. They also wipe backups from the relevant servers.

ProLock itself consists of two components: a batch file and a file with a disguised payload. During incident response engagements, Group-IB has seen the following file types being used to store payloads: JPG, BMP, and CSV:
Figure 2. Decoded contents of a PowerShell script
Both files are dropped into the %ALLUSERSPROFILE% folder. Once executed, the launcher extracts and executes the ProLock code.

One of the largest ransom amounts Group-IB has ever encountered was 90 BTC, which is around $1,000,000:
In another recent case, known to Group-IB's DFIR team, ProLock operators demanded as much as 255 BTC.
Conclusion
The emergence of ProLock is a clear sign that the threat of Big Game Hunting continues to loom large. The group's use of Qakbot may be straight out of the enterprise ransomware operation playbook, but the approach remains effective.

Despite only using standard tools for post-exploitation, ProLock operators have, for the most part, managed to remain undetected until the ransomware is deployed on the target hosts.

Moreover, although the dwell time in attacks is about a month, many organizations still find it difficult to detect malicious activity in time due to the lack of well-trained personnel, properly configured security controls, and appropriate cyber threat intelligence consumption.
Want to make sure that you don't become the next victim of ransomware?
For more than 17 years Group-IB's DFIR Lab has investigated cybercrimes around the world. During this time, we've clocked in more than 60,000 hours of incident response to the most complex cyberattacks.

If our experience has taught us anything, it's that a professional response to ransomware is extremely important. Just as important as having a proactive approach to responding to potential threats.

Group-IB's Incident Response Retainer allows your company to meet these challenges and maintain peace of mind. Sign up for Group-IB's Incident Response Retainer today.
Learn more
How Qakbot Fuels Enterprise Ransomware Campaigns
For a more in-depth analysis of the ProLock's TTPs and the full
MITRE ATT&CK® mapping, download Group-IB's most recent white paper.