Earlier this month, the US FBI issued a warning about a new example of ProLock ransomware used in attacks on government and financial institutions, healthcare facilities and retail businesses. Last week, the victim ProLock became the largest US and one of the world’s largest supplier of ATMs and technologies to make payments Diebold Nixdorf.
Discovered in March 2020, ProLock is the so-called “human-driven ransomware.” This type includes malware installed manually by cybercriminals in corporate networks after the initial compromise. According to the FBI, in the case of ProLock, the ransomware enters the network using the Qakbot Trojan (Qbot). Group-IB specialists have confirmed this fact.
Collaboration between different cybercriminal groups is not uncommon. For example, the ransomware Ryuk and Maze infected the victims’ systems via TrickBot, while the DopplePaymer software got onto computers that were originally infected with Dridex. At the time of writing, it was unclear whether the authors of ProLock are also the creators of Qakbot. It is possible that Qakbot operators lease ProLock authors access to the hacked corporate network as part of the Crimeware-as-a-Service business model.
According to a warning from the FBI, a tool for recovering encrypted files provided by ransomware in exchange for a cash reward does not work properly. The decryptor damages files that are larger than 64 MB, so it is highly recommended that ProLock victims pay a ransom.