Request a Demo
Rewterz
Rewterz Threat Alert – Apple Accidentally Notarizes Shlayer Malware Used in Adware Campaign
September 2, 2020
Rewterz
Rewterz Threat Alert – New Web Skimmer Exfiltrates Data via Telegram
September 2, 2020

Rewterz Threat Alert – ProLock Ransomware Exfiltrates Data and Encrypts Files

Severity

High

Analysis Summary

Since March 2020, unknown cyber actors using ProLock ransomware have exfiltrated data from victim organizations and threatened to publicly release the data unless the victim pays the ransom. ProLock ransomware has infected victims in the healthcare, financial, construction, and legal sectors, as well as the industrial base and government agencies. ProLock actors have employed several initial attack vectors to compromise systems, including phishing emails containing an attached variant of the Qakbot Trojan, leveraging improper system configurations and/or stolen credentials, and usingCobalt Strike1 to facilitate the installation of the malicious files onto a victim’s computer system. ProLock actors first exfiltrated data from victim organizations to a cloud-based file sharing platform using a command line file syncing program called rclone.exe, which is disguised on the victim’s system as svchost.exe. ProLock actors encrypt data on workstations and servers and leave a ransom note instructing the victims to visit a Tor page and log in using a unique ID included in the ransom note. The Tor page displays the ransom price and digital currency wallet address for the ransom payment. The ransom note indicates that the decryption keys will be stored for one month and provides a contact email address.

Impact

  • Data Exfiltration
  • Files Encryption
  • Possible confidentiality breach

Indicators of Compromise

Extension

  • [.]proLock
  • [.]pr0Lock
  • [.]key
  • [.]pwnd
  • [.]proL0ck

Filename

  • [HOW TO RECOVER FILES][.]TXT
  • WinMgr[.]xml
  • WinMgr[.]bmp
  • clean[.]bat
  • run[.]bat
  • svchost[.]exe

MD5

  • c579341f86f7e962719c7113943bb6e4
  • 7f5e4679edcfae6068ffa2051c4010fa

SHA-256

  • a6ded68af5a6e5cc8c1adee029347ec72da3b10a439d98f79f4b15801abd7af0
  • 8ef5c9aed65c4561a0e30f9b579cd96c6b97b385b9f1d57d6dab5a9f2bcf9e6f

SHA1

  • e2a961c9a78d4c8bf118a0387dc15c564efc8fe9
  • dd7af4dfd19a62982a0d5de8b35e331a481a6aad

Remediation

  • Scan for IoCs and block at their respective controls, if found.
  • Backup data regularly, keep offline backups, and test them frequently.
  • Keep all systems and software updated and patched against all known vulnerabilities.
  • Audit logs for all remote connection protocols.
  • Consider disabling Remote Desktop protocol (RDP) if it is not being used.
  • Do not download unexpected email attachments coming from untrusted sources.