The ProLock Ransomware

On May 4th 2020, the Federal Bureau of Investigation (FBI) issued a warning about a new ransomware dubbed “ProLock” that had been used against several important targets in healthcare, government, financial and retail organizations.  

This ransomware is an evolution of an earlier malware known as PwndLock. The perpetrators reportedly had to change the malware after researchers managed to find a way to decrypt files without the key, thus rendering the ransomware useless (from a criminal perspective).

Prolock belongs to a trend in ransomware where attackers go after victims with substantial assets and uptime requirements. The criminals do not immediately trigger destructive action after intrusion but spend considerable time doing reconnaissance and gaining access to other computers on the network. The goal is to find high-value data – file/document storages, customer information, database systems, mail spools – that can either be exfiltrated or encrypted and held for ransom. Backups are typically deleted if attackers can get access to them.

Intrusion, lateral movement and data exfiltration may contain a manual component, where a human operator interacts with the compromised systems, locally available tools and installed malware in order to gain the necessary access. The security provider Group-IB published an informative post which covers many of these aspects.

The FBI and Group-IB state that the initial intrusion was usually performed through:

• Phishing emails
• Poorly configured remote desktop protocol (RDP) access
• Stolen login credentials

It has been determined that the threat actors have been using Qakbot to spread the malware. Qakbot is a versatile malware which can be used for many things including network share spreading, banking theft, and installation of more malware. Even though Qakbot is now very old, malware authors constantly modify, compress and obfuscate it, so initial antivirus detection is not always guaranteed.

In addition to encrypting data, the ProLock attackers also steal data. To do this they have been using a legitimate tool called RClone, which is a command-line tool designed to sync data to/from cloud services.

Main payload

The payload is known to have been distributed hidden inside a JPG or PNG image file and extracted to disk using PowerShell. When intruders have gained enough of a foothold that they believe they can apply substantial pressure, they trigger this payload and ask for ransom. The ball is now in the victim's court.

The ProLock payload executable does the following when run:

• Decodes its main body (bulk of the code is XOR-encoded using a 32-bit key)
• Dynamically declares the Windows API calls it needs using LoadLibrary and GetProcAddress.
• Removes available shares to stop remote access
• Enables a series of privileges for itself.
• Deletes Volume Shadow Storage, if any
• Kills a lot of processes matching an internal list
• Stops a large amount of services associated with backup and security.
• Spins off threads to enumerate folders and encrypt files. Some folders and files are avoided, and some are outright deleted. Each visited folder will contain a file named “[HOW TO RECOVER FILES].TXT” with instructions on how to get in touch with the culprits. Encrypted files are appended with the file extension “.proLock”. (Variants may use different extensions.) The encryption logic can be buggy and the trojan can repeatedly encrypt the same files over and over ending with a situation where a file name looks like this:

• The encryption used is RSA-2048. This is a strong encryption.

Decryption and recovery

Recovery of files is very hard – likely impossible – without the decryption key. The FBI has advised that the decryptor provided by the attackers if a ransom is paid is buggy and may corrupt files that are larger than 64 MB.

Protection

NortonLifeLock Labs has identified a number of ProLock samples, including a few of its predecessor PwndLock. All of these are detected by the latest version of Norton security products. Verify your update status here: https://updatecenter.norton.com/

Advice to avoid ransomware and data loss:

• Use good backup systems. Consider to regularly put copies of critical data on offline storage. Make sure that you can access the backups if necessary.
• Be aware of the dangers of phishing and be careful with email attachments.
• Never allow macros to run in Microsoft Office unless you completely trust the source and function of the macros.
• Always use two-factor authentication (2FA) wherever possible
• Avoid re-using passwords. If your email or password shows up on sites like haveibeenpwned.com, change password immediately.
• Use reputable security software fitting your use and keep it updated.
• Make sure operating system and other third-party software is kept up to date.
• Don't pay the ransom if you at all can avoid it. There's no guarantee you'll get anything in return.

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime.

Appendix

Privileges enabled:

SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeManageVolumePrivilege
SeDebugPrivilege

Processes starting with the following 6 characters will be attempted killed:

agntsv
cntaos
dbeng5
dbsnmp
encsvc
excel.
firefo
infopa
isqlpl
mbamtr
msacce
msftes
mspub.
mydesk
mysqld
ntrtsc
ocauto
ocomm.
ocssd.
onenot
oracle
outloo
pccntm
powerp
sqbcor
sqlage
sqlbro
sqlser
sqlwri
steam.
syncti
tbirdc
thebat
thunde
tmlist
visio.
winwor
wordpa
xfssvc
zoolz.

Services attempted stopped:

"CSFalconService"
"McAfeeFramework"
"Alerter"
"AcronisAgent"
"Acronis VSS Provider"
"BackupExecAgentAccelerator"
"BackupExecDeviceMediaService"
"BackupExecJobEngine"
"BackupExecManagementService"
"BackupExecRPCService"
"BackupExecVSSProvider"
"DFSR"
"EPIntegrationService"
"EPProtectedService"
"EPSecurityService"
"EPUpdateService"
"MB3Service"
"MBAMService"
"MBEndpointAgent"
"MSExchangeES"
"MSExchangeMGMT"
"MSExchangeMTA"
"MSExchangeSA"
"MSExchangeSRS"
"MSExchangeADTopology"
"MSExchangeDelivery"
"MSExchangeDiagnostics"
"MSExchangeEdgeSync"
"MSExchangeHM"
"MSExchangeHMRecovery"
"MSExchangeIS"
"MSExchangeMailboxReplication"
"MSExchangeRPC"
"MSExchangeRepl"
"MSExchangeServiceHost"
"MSExchangeTransport"
"MSExchangeUM"
"MSExchangeUMCR"
"MSOLAP$*"
"MSSQLSERVER"
"MsDtsServer"
"MySQL57"
"OSearch15"
"OracleClientCache80"
"QuickBooksDB25"
"SPAdminV4"
"SPSearchHostController"
"SPTraceV4"
"SPUserCodeV4"
"SPWriterV4"
"SQLBrowser"
"SQLSafeOLRService"
"SQLsafe Backup Service"
"SQLSERVERAGENT"
"SQLTELEMETRY"
"SQLBackups"
"SQLAgent$*"
"MSSQL$*"
"MSMQ"
"ReportServer"
"ReportServer$*"
"SQLWriter"
"SQLBackupAgent"
"Symantec System Recovery"
"SyncoveryVSSService"
"VeeamBackupSvc"
"VeeamCatalogSvc"
"VeeamCloudSvc"
"VeeamEndpointBackupSvc"
"VeeamEnterpriseManagerSvc"
"VeeamMountSvc"
"VeeamNFSSvc"
"VeeamRESTSvc"
"VeeamTransportSvc
"Veeam Backup Catalog Data Service"
"epag"
"epredline"
"mozyprobackup"
"masvc"
"macmnsvc"
"mfemms"
"McAfeeDLPAgentService"
"psqlWGE"
"swprv"
"wsbexchange"
"WinVNC4"
"TMBMServer"
"tmccsf"
"tmlisten"
"VSNAPVSS"
"stc_endpt_svc"
"wbengine"
"bbagent"
"NasPmService"
"BASupportExpressStandaloneService_N_Central"
"BASupportExpressSrvcUpdater_N_Central"
"hasplms"
"EqlVss"
"EqlReqService"
"RapidRecoveryAgent"
"YTBackup"
"vhdsvc"
"TeamViewer"
"MSOLAP$SQL_2008"
"MSOLAP$SYSTEM_BGC"
"MSOLAP$TPS"
"MSOLAP$TPSAMA"
"MSSQL$BKUPEXEC"
"MSSQL$ECWDB2"
"MSSQL$PRACTICEMGT"
"MSSQL$PRACTTICEBGC"
"MSSQL$PROD"
"MSSQL$PROFXENGAGEMENT"
"MSSQL$SBSMONITORING"
"MSSQL$SHAREPOINT"
"MSSQL$SOPHOS"
"MSSQL$SQL_2008"
"MSSQL$SQLEXPRESS"
"MSSQL$SYSTEM_BGC"
"MSSQL$TPS"
"MSSQL$TPSAMA"
"MSSQL$VEEAMSQL2008R2"
"MSSQL$VEEAMSQL2012"
"MSSQLFDLauncher"
"MSSQLFDLauncher$PROFXENGAGEMENT"
"MSSQLFDLauncher$SBSMONITORING"
"MSSQLFDLauncher$SHAREPOINT"
"MSSQLFDLauncher$SQL_2008"
"MSSQLFDLauncher$SYSTEM_BGC"
"MSSQLFDLauncher$TPS"
"MSSQLFDLauncher$TPSAMA"
"MSSQLSERVER"
"MSSQLServerADHelper"
"MSSQLServerADHelper100"
"MSSQLServerOLAPService"
"SQLAgent$BKUPEXEC"
"SQLAgent$CITRIX_METAFRAME"
"SQLAgent$CXDB"
"SQLAgent$ECWDB2"
"SQLAgent$PRACTTICEBGC"
"SQLAgent$PRACTTICEMGT"
"SQLAgent$PROD"
"SQLAgent$PROFXENGAGEMENT"
"SQLAgent$SBSMONITORING"
"SQLAgent$SHAREPOINT"
"SQLAgent$SOPHOS"
"SQLAgent$SQL_2008"
"SQLAgent$SQLEXPRESS"
"SQLAgent$SYSTEM_BGC"
"SQLAgent$TPS"
"SQLAgent$TPSAMA"
"SQLAgent$VEEAMSQL2008R2"
"SQLAgent$VEEAMSQL2012"
"ReportServer$SQL_2008"
"ReportServer$SYSTEM_BGC"
"ReportServer$TPS"
"ReportServer$TPSAMA"

Folders containing these text strings are avoided:

“window”
“kasper”
“ahnlab”
“sophos”
“hitman”
“avast”
“mcafe”
“avg”
“eset”

These root folders are avoided:

“$Recycle.Bin”
“Windows”
“Boot”
“System Volume Information”
“PerfLogs"   

These level 1 folders are avoided:

"Common Files"
"DVD Maker"
"Internet Explorer"
"Kaspersky Lab"
"Kaspersky Lab Setup Files"
"WindowsPowerShell"
"Microsoft"
"Microsoft.NET"
"Mozilla Firefox"
"MSBuild"
"Windows Defender"
"Windows Mail"
"Windows Media Player"
"Windows NT"
"Windows Photo Viewer"
"Windows Portable Devices"
"Windows Sidebar"
"WindowsApps"
"All Users"
"Uninstall Information"

These level 4 folders are avoided:

"Adobe"
"Microsoft"
"Microsoft_Corporation"
"Packages"
"Temp"

Files with the following extensions are avoided:

.exe
.dll
.lnk
.ico
.msi
.chm
.sys
.hlf
.lng
.ttf
.cmd

Files containing these text strings in the file name are avoided:

“[how t”
“ntuser”
“bootm”
“boots”
“iconca”

Files with the following extensions are deleted:

.bac
.bak

Analysis based on sample with sha256 dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178