ProLock Ransomware

Original Issue Date:-August 03, 2020
Virus Type:-Ransomware
Severity:-Medium

It has been reported that a new ransomware, dubbed, “ProLock” is spreading. This is a successor of PwndLocker ransomware strain that emerged in the late 2019. The ransomware affects organizations of various sectors including government, financial, retail and heath care organizations.

Initial access and infection mechanism:

ProLock obtains the access of victim’s network in several ways but the main vectors of initial access are: improperly configured RDP servers with weak credentials and QakBot (Qbot) Trojan. While the earlier vector is common among various malware attacks, the QakBot Trojan is one to note which is affiliated with MegaCortex ransomware and loaded via Emotet malware in erstwhile campaigns. The use of QakBot by the ProLock operators may be seen as a collaboration among threat actors to utilize the skill-set of multiple teams.

QakBot is typically distributed via phishing emails which may contain attachments of weaponized Microsoft Office documents or just links to such documents that are located on cloud storage – Microsoft OneDrive, for example. When the weaponized document is downloaded and opened, malicious macros enabled. Then, PowerShell is launched; and download and run the QakBot payload from the command-and-control (C2) server. ProLock payload is extracted from a BMP or JPG file, and is loaded into memory with PowerShell. Sometimes a scheduled task is used to run PowerShell.

Figure:1 Batch Script (Source: Group-IB)

Figure:2 A screenshot of WinMgr.bmp, the “graphics file” that carries the barely-concealed ProLock malware payload (source: Sophos)(Note the “noise” of steganography in the upper right hand corner.)

QakBot trojan armed the ransomware with increased capability such as keylogging and also able to download and run additional scripts like “Invoke-Mimikatz” (a PowerShell version of Mimikatz) for credential dumping. Through this tactic, the malware operators can siphon off privileged credentials and then use these for network discovery activities such as port scanning and Active Directory reconnaissance. Attackers also use “AdFind” to query Active Directory.

ProLock then uses RDP to move laterally across network and collect data for exfiltration by using a command-line tool “Rclone” that is capable of synching files to and from different cloud storage providers (such as OneDrive, Google Drive, Mega, etc.). The ransomware tries to shut down more than 150 services linked to enterprise applications, security software, and backups by using net.exe. (For the full list of targeted services and processes, please visit the URLs given in “IOC” below.) ProLock deletes the shadow copies of local files using vssadmin.exe to prevent recovery.

While making the guarding factors out of the way, the ransomware starts encrypting the files which are more than 8192 bytes and append extension .proLock, .pr0Lock or .proL0ck extension to each encrypted file and drops a text file named [HOW TO RECOVER FILES].TXT to each folder containing ransom note and other instructions.

Figure:3 ProLock ransom note (source: Sophos)

Ransom note mentions for a TOR browser downloading and use victim’s user ID to pay ransom. However, as seen, the decryption key or decryptor received after paying ransom also has bug. The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB.

QakBot also employs tactics to avoid detection. It checks for newer version of itself and replaces if found. Executables are signed with a fake or stolen signature. PowerShell downloads the initial payloads and stores it on the server with a PNG extension and it's replaced with the legitimate file calc.exe after execution. As observed, ProLock operators have not setup any website for publishing exfiltrated data in case of ransom failure.

Indicators of compromise:

Files:

  • C:\ProgramData\WinMgr.bmp
  • C:\ProgramData\WinMgr.xml
  • C:\ProgramData\clean.bat
  • C:\ProgramData\run.bat

For complete list, please refer

BTC Wallet Address:

  • 1LVLHAs4Vq9Yt9nHvvrgw9djtA7BiR8sKM (for incident response only, do not pay ransom)

Email Contact:

  • support981723721[AT]protonmail.com

Detection:

  • Win32:Evo-gen [Susp]
  • Trojan.Peed.Gen
  • Trojan:Win32/Wacatac.D!ml

For full list, please refer:

Refer list of the processes and services targeted by the ransomware at:

Countermeasures and Best practices for prevention:

  • Users are advised to disable their RDP if not in use, if required, it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
  • Install ad blockers to combat exploit kits such as Fallout that are distributed via malicious advertising.
  • All operating systems and applications should be kept updated on a regular basis. Virtual patching can be considered for protecting legacy systems and networks. This measure hinders cybercriminals from gaining easy access to any system through vulnerabilities in outdated applications and software. Avoid applying updates / patches available in any unofficial channel.
  • Restrict execution of Power shell /WSCRIPT in an enterprise environment. Ensure installation and use of the latest version of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
    https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
  • Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Consider encrypting the confidential data as the ransomware generally targets common file types.
  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.

References: