ProLock, Successor to PwndLocker, Performs Hybrid Encryption
In late 2019, a strain of ransomware name ProLock has been making its rounds across the internet. ProLocker is the successor of PwndLocker, which had a short-lived life due to implementation flaws that allowed the decryption keys to be extracted from the malware itself. ProLocker is unique even among ransomware in that it does not encrypt the 8,192 bytes leaving files to be a hybrid of plaintext and encrypted.
ProLock has gained access into victims’ networks in multiple way including using some third-party exploitation, however most victims were infected through scripts used by the QakBot banking trojan. Other attack vectors include phishing emails, improperly configured Remote Desktop Protocol servers, and remote access connections over RDP with stolen user credentials.
ProLock malware depends on Windows batch scripts, Windows Task Scheduler, and PowerShell. The execution chain starts with the running of “run.bat” which creates a scheduled Windows task to execute the next batch script “clean.bat” using the contents of WinMgr.xml to configure the job. Once the scheduled task executes “clean.bat”, a base64-encoded PowerShell script extracts ProLock executable file which is encoded into the image file WinMgr.bmp (using steganography techniques), which is then loaded into memory and executed.
After ProLock has executed it runs various functions to check for problematic registry settings, security policies, applications and services. If any of the items match its internal list, they are immediately stopped to ensure there will not be any locked files when starting to encrypt the disk.
Currently ProLock is not attributed to any one Advanced Persistent Threat actors. However the motivation behind the attacks is purely financial, having been seen with common banking trojans.
Sophos has put out recommended mitigation to help prevent this kind of attack including:
- Putting RDP access behind a virtual private network
- Using multi-factor authentication for remote access
- Maintaining offline backups
- Up-to-date endpoint protection
Sources: