The FBI: ProLock ransomware installed via Qbot infected networks

ProLock ransomware targets healthcare and other sectors worldwide

ProLock installed via QakBot infected networks

ProLock installed via QakBot infected networks

As the COVID-19 pandemic continues, threat actors keep their eyes on the prize and target sectors that are particularly vulnerable during this time. The FBI recently issued a warning about a relatively new ransomware strain called ProLock,[1] which emerged in March 2020 – it is now often installed via Qbot (otherwise known as QakBot) infected network. Threat actors are still also using weakly protected Remote Desktop connections, as was reported by security company Group IB last week:[2]

Despite not being around long, ProLock has already made its mark, targeting financial, healthcare, government, and retail organizations. The group’s first big attack – that we know of, at least – happened at the end of April, when they successfully attacked Diebold Nixdorf – one of the major ATM providers.

In both scenarios, the operators themselves penetrate the network manually and then gain access for lateral movement. The so-called “human-operated ransomware,”[3] which ProLock is, is installed on the network manually, and a large number of files are also exfoliated to an external server. This technique is often employed by many large malware strains such as Sodinokibi, Maze, DoppelPaymer, and many others.

QakBot and ProLock

As the news about ProLock and QakBot came to light, security researchers pointed out that such collaborations between two malware strains are not uncommon. The well-known Maze ransomware was previously installed along with TrickBot Trojan, while Dridex-infected computers were also proliferating DoppelPaymer ransomware.

Such relations sometimes are easy to explain, as both parties participate in the same operation to maximize profits from their victims. Since malware allows the attackers behind ProLock to access computers infected with QakBot, it is important to isolate those machines from the network as soon as possible before trying to eliminate the infection, the FBI says.[4]

Currently, it is unknown whether the collaboration between these two malware families is operated by the same actors. QakBot, or Qbot, is a relatively old banking malware that was first introduced in 2009 and was previously seen in conjunction with MegaCortex ransomware,[5] while ProLock is a relatively new, although already successful, player in the scene.

Once QakBot penetrates the network, it does not immediately install ransomware but instead runs various background scripts to execute the malicious BMP or JPG file WinMgr into the memory – this technique is also called fileless infection and is often used to disguise the points of compromise. Once the payload is loaded, it allows operators of ProLock to move laterally from computer to computer that is connected to the same network.

For data exfoliation, the attackers use a tool called Rclone, which also allows them to access data stored on cloud storage services. To ensure that the ransom is paid, malicious actors delete Shadow Volume Copies and encrypt/delete backups if such are available. The downloaded sensitive data can also later be disclosed in case the victim fails to pay the ransom, which can sometimes reach up to $660k.

ProLock ransomware decryptor does not always work correctly

Many companies and businesses are put in a difficult situation if their networks get compromised by ransomware. Companies that do not agree to collaborate with the attackers face lengthy and costly recovery procedures, a significant downtime due to the inability to access systems. Also, ransomware operators have the most secret company files that they threaten to publish if the demands are not met on time.

Even if victims agree to pay the ransom, it does not mean that the decryptor will work correctly or even work at all. The FBI claimed that the decryption tool provided by ProLock actors does not always works correctly:

The decryption key or “decryptor” provided by the attackers upon paying the ransom has not routinely executed correctly. The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB. Added coding may be necessary for the decryptor to function.

As a result, victims might lose access to some encrypted files permanently, even after paying the costly decryptor cost. Thus, companies are advised to secure their networks with complex passwords and employ the most advanced security solutions to prevent ProLock and Qbot infiltration.