Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
ProLock ransomware gives you the first 8 kilobytes of decryption for free
#1
Quote:As organizations were scrambling to deal with the lockdowns associated with the global COVID-19 pandemic, a new wave of ransomware attacks began. The ransomware,  called ProLock, is a successor to PwndLocker, a ransomware strain that emerged late in 2019.

PwndLocker’s distribution was short-lived, primarily because it was discovered that the keys needed to decrypt files could be recovered from the malware itself without paying a ransom. The retooled ProLock ransomware, which emerged in March, resulted in the opposite problem:  in May, the Federal Bureau of Investigation issued an alert warning that victims who had paid the ransom demanded by ProLock’s operators had received a faulty decryptor that corrupted files it “decrypted.”

The faulty debugging may be connected to the unusual way in which ProLock encrypts files: it skips files smaller than 8,192 bytes, and starts encrypting larger files after the first 8,192 bytes. The result is files that are partially readable, and partially encrypted.

Sophos initially encountered ProLock when it was caught  by Intercept X’s CryptoGuard component on a customer network in mid-March. The malware uses a Powershell-based dropper that extracts Windows executable code from an accompanying graphics file—or at least, a file with a graphics format extension. And all of its malicious activities are concealed within legitimate Windows processes.

According to the FBI “flash”, victims of ProLock have included healthcare organizations, government agencies, financial institutions, and retailers.  Victims are directed to contact the ProLock operators through a Tor-based ( .onion) web portal or a ProtonMail email address. Following the current trend in ransomware set by Maze, ReVil, and other established extortion operations, the ProLock actors “instruct victims to pay the ransom in several days, threatening to release the victims’ data on social media and public websites,” the FBI reports.

Picking the locks

ProLock has gained access to  victims’ networks in several ways, with some leveraging third-party exploitation. In May, Oleg Skulkin, Senior Digital Forensics Analyst at Group-IB, told BleepingComputer that evidence he had uncovered showed some ProLock victims were infected through scripts executed by the QakBot banking trojan.

The FBI also cited Qakbot as one of ProLock’s means of initial access, as well as phishing emails and improperly configured Remote Desktop Protocol (RDP) servers, and remote access connections over RDP with stolen user credentials.  The earliest detection of ProLock by Sophos was on a customer’s compromised server, most likely through an exploit of a Remote Desktop Protocol connection.

The ProLock actors use their access to conduct some network reconnaissance, as well as to potentially steal data before launching their ransomware attack. They then use the stolen or compromised credentials, built-in Windows tools and scripts to propagate the ransomware across the network.

When the time came to release the ransomware, we found in the case we analyzed that four files were dropped onto targeted systems, downloaded from a remote server (IP addresses are in the Indicators of Compromise file posted to SophosLabs’ GitHub).


Code:
C:\ProgramData\WinMgr.bmp
C:\ProgramData\WinMgr.xml
C:\ProgramData\clean.bat
C:\ProgramData\run.bat


Chain of destruction

ProLock malware depends on Windows batch scripts, the Windows Task Scheduler (through the schtasks.exe command line utility) and PowerShell to launch its attack.

The ransomware chain is set off with the execution of run.bat, which creates a scheduled Windows task to execute clean.bat using the contents of WinMgr.xml to configure the task. When it is launched by the scheduler, clean.bat executes a base64-encoded PowerShell script that extracts the ProLock executable file encoded into the image file WinMgr.bmp, loads it into memory, and executes it—passing parameters that control the encryption. (When executed without the Powershell script, the executable runs—but doesn’t encrypt any files.)

[Image: EuGT56P.png]


Continue reading HERE
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  ProLock ransomware - everything you need to know Imran 0 1,191 09-10-2020 , 12:59 PM
Last Post: Imran
  Shade Ransomware shuts down, releases 750K decryption keys tarekma7 0 2,032 04-27-2020 , 11:21 PM
Last Post: tarekma7



Users browsing this thread: 1 Guest(s)