FBI : ProLock Ransomware Teams Up With QakBot Trojan to Infect Victims
By Megha Malhotra
Not long ago, the FBI has issued a security alert this month regarding a new ransomware strain named ProLock that has been deployed in invasions at healthcare organizations, government entities, financial institutions, and retail organizations.
Notwithstanding the alert about the connection between Qakbot and ProLock, the FBI also cautioned victims about bugs in the ProLock decrypter, the application the ProLock handover the victim’s so as to decode their documents after paying the ransom.
The FBI added “The decryption key or ‘decryptor’ provided by the attackers after paying the ransom has not routinely executed effectively. The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB.”
What is ProLock?
First spotted in March 2020, ProLock is part of the category of “human-operated ransomware.”These are ransomware strains which are manually installed on the networks of hacked companies. Hacker gangs breach or lease access to a hacked network, assume physical control of the infected host, spread laterally through the network, and then deploy the ransomware after escalating their access.
ProLock ransomware is a successor to another recent malware strain, PwndLocker, and has made its mark targeting financial, healthcare, government and retail organizations. ProLock’s first big attack targeted major ATM provider Diebold Nixdorf at the end of April.
According to Oleg Skulkin, senior digital forensics analyst at Group-IB in a recent analysis, “ProLock uses many similar techniques as other ransomware operators to achieve their goals. Simultaneously, the group has its own interesting methodology. With more and more cybercrime groups showing enthusiasm for big business ransomware deployment campaigns, a few might be engaged in diploying diverse ransomware families, so we’ll likely observe more overlaps in strategies, tactics and methodology.”
Considering the FBI and Group-IB reports, this presently also implies that PCs inside an organisation which have been seen as infected with Qakbot must be detached from the remainder of the system as quickly as time permits, or they can serve as entry points for a ransomware gang.
ProLock has now paired up with QakBot banking trojan for network intrusion. ProLock relies upon unprotected Remote Desktop Protocol (RDP) servers with weak qualifications to infect some victims, a very basic strategy for ransomware operators (including Nefilim, Nemty, Crysis and SamSam). But the researchers stated that ” the most intriguing” infection vector is QakBot.
Qakbot
QakBot is a trojan, partnered with the MegaCortex ransomware and known to be stacked by means of the Emotet malware in past battles. QakBot is commonly distributed through phishing emails with attachments of weaponized Microsoft Office documents (or links to malicious documents that are located on cloud storage). A victim initially needs to download the weaponized document by means of the email, and afterwards empower macros. Then PowerShell is launched and used to download and run the QakBot payload from the command and-control (C2) server.
The utilization of QakBot by ProLock plays into a current cybercrime pattern. More malware strains have been shaping associations to assist them with filling in each-other’s skillset gaps, for instance, the Ryuk has used TrickBot and Emotet malware in its attack chain brings a enormous new abilities that raise ProLock’s ransomware attack vector: It has keylogging capacities, and at the same time can run additional content like Invoke-Mimikatz (a PowerShell version of Mimikatz), permitting the attacker to use certification dumping by pulling various passwords from the machine. By this technique, ProLock operators can track down favored credentials and afterwards utilize these to begin network discovery exercises.
As per the researchers, “In addition to a wide variety of scripts, attackers use AdFind – another popular tool used by many ransomware groups – to query Active Directory.”
ProLock then uses RDP to move horizontally across systems and gather information, which it then exfiltrates utilizing an command-line-tool (Rclone) that is fit for synchronizing documents to and from various cloud storage suppliers, for example, OneDrive and Google Drive. Simultaneously, the ransomware encrypts the documents (including a .proLock, .pr0Lock or .proL0ck extension to each encrypted file) and leaves a note for the victim demanding a payment of six figure ransom for decoding the files.
Other features
Employing RDP and QakBot for initial infection gives ProLock administrators an advantage in terms of persistence and detection evasions. For example, the administrators use legitimate account for RDP access to gain ingenuity in the system. The ProLock payload is additionally covered up inside a bitmap image file (BMP) or JPG file, which may be regarded as a defense evasion technique as well.
And, “QBot has a neat trick that lets it avoid detection: it checks for the newest version of itself, and replaces the current version with the new one,” researchers said. “Executable files are signed with a stolen or fake signature. The initial payload, downloaded by PowerShell, is stored on the server with a PNG extension. What’s more, is that it’s replaced with the legitimate file calc.exe after execution.”
As per the researchers, “Unlike their peers, though, ProLock operators still don’t have a website where they publish exfiltrated data from companies that refuse to pay the ransom.”
Safety measures
• Users must maintain up-to-date backups to avoid damage from ransomware infections.
• Update systems and software with relevant patches.
• Employ content scanning and filtering on their mail servers to scan for known threats
• And block any attachment types that could pose a threat.
Sources :
https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/
Laws like sec 67, sec.43.h,sec. And 43.c be made stricter as well as users equally must take precautions be4 giving information to any unknown sites
Very insightful
very detailed article.
Very useful information article
Amazing article.
Good article
Hackers use tools like that from time to time to pry into others system and gain something out of it. There are few tools which will be hidden in the system and never appear on to but they will eat up space of the drive, and with use of the ram and processor will duplicate themselves until there is nothing left to go back. To be able to identify them one should never turn off real time ransom and spamware protection whenever searching through internet. Nice job by the researcher giving is details about the recent threat identified by FBI nonetheless hackers are targeting now us more and we need to be more careful now.