On September 4, the FBI issued its second alert in less than six months about ProLock warning companies of the fact that the ransomware operators are stealing data from targeted organizations before encrypting them.
The group, which operates ProLock
, is the successor of the PwndLocker ransomware strain, which itself had been active only since October 2019. PwndLocker operators were ambitious from the start; they targeted enterprise networks with ransom demands ranging from the low-to mid-six figures. Despite these early successes, not everything went smoothly. PwndLocker was stopped dead in its tracks after its code was found to contain a bug that let anyone decrypt files without paying the ransom. The threat actors quickly patched it and rebranded their ransomware as ProLock in March 2020.
Following in the footsteps of its predecessor, ProLock has focused on so-called Big Game Hunting
. The fact that their ransom demands range anywhere from 35 to 255 Bitcoin
(approx. $400,000 to $3,000,000) only confirms their "think big" strategy. As for their area of activity, ProLock operators have so far focused on North America and Europe. Their most infamous known attack was in April on Diebold Nixdorf.
It was not long after ProLock emerged that Group-IB discovered
that the new group was using the Qakbot (also known as QBot) banking trojan to obtain initial access and described the ProLock's TTPs. Almost six months on from its debut the group has upgraded its methods. In this post we'll look at some of the recent tactics, techniques, and procedures (TTPs) used by ProLock operators.
For a more in-depth analysis of the attacker's TTPs and the full MITRE ATT&CK® mapping, download Group-IB's Lock Like a Pro: How Qakbot Fuels Enterprise Ransomware Campaigns white paper.