Using well-known, typical intrusion tactics, the operators of ProLock ransomware have been able to deploy a large number of attacks at an average rate of nearly one attack per day. Initially, ProLock was named PwnedLocker and came with a bug that allowed victims to unlock their files for free. After that failure, the operators renamed it ProLock and fixed the flaw. After their rebranding in March of 2020, The ProLock operators have increased their activity and are demanding larger ransoms. The operators have no preference for their targets or the sector of their activity as long as their targeted companies can pay larger ransoms. Currently, they are demanding an average of $1.8 million USD from companies in Europe and North America. For the past six months, the cybersecurity firm Group-IB has detected more than 150 ProLock operations with their most recent victim being asked for 225 Bitcoins (currently around $2,322,472 USD). ProLock’s tactics, techniques, and procedures are simple and effective—they have partnered with Qakbot (QBot) banking trojan to gain initial access. Qakbot allows the ProLock operators to map networks, move laterally, then deploy the ransomware on the most critical computer systems all at once.
Analyst Notes
ProLock uses simple but effective tactics, and there are simple but effective steps that organizations can take to defend from it. One of the primary methods of recovering from any ransomware attack is the 3-2-1 method of backing up information. Keep three copies of data on two separate storage media with one of them being offsite. Since Qakbot is still distributed through malicious documents sent through phishing emails, organizations should implement email threat protection and provide their employees with training on how to recognize and report those emails before they become a problem. It is also advisable to staff a Security Operations Center around the clock, or employ the services of a third-party partner, such as Binary Defense, that has the capabilities to detect and defend from intrusions in real-time and quickly respond during day or night, on weekdays, weekend and holidays. Attackers typically choose the times after hours or on weekends to start the lengthy process of deploying ransomware, thinking that defenders will not be alert or respond very quickly.
Source Article: https://www.bleepingcomputer.com/news/security/prolock-ransomware-increases-payment-demand-and-victim-count/