New Alert for Data Theft of ProLock Ransomware

Brief history about Prolock

ProLock appeared for the first time in 2019 and is one of the many ransomware that, unfortunately, circulate on the Internet. The main objective of this threat is to encrypt the files of the victims . Cybercriminals will then ask for a ransom so that they can access the data again.

One thing that sets ProLock apart from other ransomware is that it was associated with the QakBot Trojan. Thanks to this Trojan allows you to avoid being detected, make use of some added techniques and also the deletion of credentials.

In this sense, QakBot is a Trojan that has occasionally used Emotet malware in its campaigns. Its form of distribution is through email using Phishing attacks. In these emails they include malicious Word files as attachments. To be effective, the victim would have to perform two actions: one would be to download that file that he receives by e-mail, and the other would be to enable the macros.

In this way, ProLock by using QakBot is leveraged to utilize existing gaps. This way you can achieve more targeted attacks and also be more successful. Simply sending an email to the intended recipients of the cybercriminal can be a good starting point.

Alerts about data theft by ProLock ransomware

On May 4, 2020, the FBI issued a flash alert MI-000125-MW about the danger of data theft by the ProLock ransomware. However, as the problems that this malicious software was causing were increasing, a new one had to be issued. It is about alert 20200901-001 of September 1.

In the May alert, businesses and individuals were warned that the ProLock decryptor is not working properly . The problem is that the victims could lose their data, since, in the case of files that occupy more than 64 MB, they could be damaged during the decryption process.

Prolock’s increased activity and efficiency was due to its association with the QakBot banking Trojan, as discussed above. In that sense, once our computer has been infected with this ransomware we will get a screen like this.

Here you can see how data has been stolen by the ProLock ransomware and they ask us for a ransom to recover our data.

Prolock can ask for ransoms with large amounts

Cybercriminals threaten to use the stolen data as a lever to persuade victim organizations to pay ransoms. These can range between € 150,000 and also up to more than € 500,000. The price will depend on the size of the network engaged. Today, ProLock has successfully encrypted the networks of organizations around the world in multiple industries, healthcare, construction, finance and legal, as well as government agencies.

Stolen data was stored and saved in the cloud

Data theft by ProLock ransomware is done using various attack vectors to breach its victims’ systems such as:

1. Phishing emails with malicious attachments from QakBot.
2. The use of stolen credentials.
3. The exploitation of security flaws in the system configuration.

A noteworthy fact is that they discovered that these criminals archived and stored the stolen data on cloud storage platforms , such as OneDrive, Google Drive and Mega. They did this with the help of the Rclone cloud storage sync command line tool.

How to deal with Prolock and prevent it

Institutions such as the FBI and other security agencies advise those affected by the ProLock ransomware attacks not to give in to the demands of cybercriminals by paying ransoms . The reason for not doing so is that the payment encourages looking for new victims and also funding future illegal acts. This is the attackers’ ransom note explaining in a document what we must do to pay that ransom.

How you can observe to make the payment and maintain your anonymity ask that it be done using the Tor browser.

Finally, to avoid data theft by ProLock ransomware, from this article we recommend using common sense not to download malicious files, have security tools and have the latest patches and updates installed for our software.