This month, security experts and law enforcement turned their attention to the ProLock cryptographer, who recently attacked one of the largest ATM manufacturers, Diebold Nixdorf. According to studies, it looks like the ProLock Cryptographer has teamed up with the famous QakBot Trojan.
Group-IB experts have dedicated a big report to the malware. They say that the ransomware appeared in March 2020 and is a successor of the PwndLocker malware, active since the end of 2019 (the malware was renamed to ProLock after Emsisoft experts found a way to decrypt the PwndLocker files). ProLock attacks most commonly target financial and medical organizations, government agencies, and the retail sector.ProLock operators use two main distribution vectors of the malware: the QakBot Trojan (Qbot) and unprotected RDP servers with weak passwords. While hacking of RDP servers is clear, using QakBot is a very interesting distribution vector. Previously, this trojan was associated with another family of ransomware, MegaCortex, but now it is used by ProLock operators”, – write researchers Group-IB.
As a rule, QakBot itself spreads through phishing campaigns. A phishing email may contain an attached Microsoft Office document or a link to a malicious file located in the cloud, for example, Microsoft OneDrive. There are also known cases of loading QakBot with another trojan, Emotet, which is widely known for participating in campaigns that distributed the Ryuk ransomware.
After downloading and opening the infected document, the user is asked to allow execution of macros; if successful, launched a PowerShell, which will allow the QakBot payload to be loaded and launched from the command server.
In addition, FBI issued this month a warning about ProLock.
The cryptographer seems to be manually controlled by operators, that is, it is installed on the networks of compromised organizations manually, and not automatically”, – explain in the FBI.
Hacker groups often hack or buy access to a network of a company from other attackers. They take the compromised host under control and then use it for lateral distribution over the network. Hackers deploy encryption agents after this, in manual mode, after expanding their access as much as possible.
This is how ProLock operators use Qakbot. This is not a unique case: previously, experts found that the Ryuk and Maze ransomware often appear on computers, previously infected with the TrickBot Trojan, and the DopplePaymer ransomware goes together with the Dridex malware. At the same time, it remains unclear whether ProLock was created by the same authors as Qakbot, or ProLock operators buy access to infected Qakbot hosts and work with another hack group.
However, this is not all you should know.
The decryptor could potentially corrupt files larger than 64 MB and damage the integrity of the file by about 1 byte for every 1 KB for files over 100 MB”, — also warns the FBI.
According to the federals, a tool for decrypting data that is provided by ProLock victims themselves often works incorrectly and does not help to save information, even if the ransom was paid.
