The ProLock Ransomware Operators Send Faulty Decryptors to Victims Who Pay the Ransom

ProLock Ransomware Faulty Decryptor

As most of you probably know, not all ransomware is created equal. Some families are authored by young, inexperienced hackers who borrow most of their code from open repositories. Often, they make mistakes during the implementation of the individual components, and they end up with ransomware samples that don't pose that much of a threat. By contrast, other file-encrypting malware families are designed and built by sophisticated teams of hackers who have an almost unlimited amount of resources.

ProLock is a relatively new name on the ransomware scene. It's been grabbing some headlines for the last few months, and it will be interesting to see whether it's one of the more sophisticated threats or whether it's been put together by a group of amateurs.

ProLock – a serious threat to organizations of all shapes and sizes

Researchers from Sophos recently decided to take a closer look at ProLock after one of their clients was hit by it. It immediately became apparent that it's not the work of the so-called script kiddies.

In the case of the attack Sophos investigated, the initial point of entry was a poorly configured RDP server that the hackers exploited. After compromising the victim, they gathered some more information about the network they were in, and they later used a list of stolen credentials to move across it. The actual ransomware operation begins with the placement of four files in the host's %ProgramData% folder.

There's a BMP image, an XML file, and a couple of batch files. The first batch file sets up a scheduled task using the parameters set in the XML document. The scheduled task runs the second batch file, which, in turn, extracts the ransomware payload that is encoded in the BMP image using steganography.

Before encrypting the data, ProLock terminates certain processes in order to ensure that fewer files are opened during the encryption stage. When it's done scrambling the information, ProLock drops a ransom note complete with a User ID and a link to a Tor-hosted website where victims can get more information about the hackers' demands.

So far, everything looks very professionally made and advanced. When the researchers looked at a few samples, however, they saw that although parts of the code were tailored to individual victims, the User IDs were hardcoded and were not unique. This was strange. What was stranger, however, was the way ProLock encrypts files.

ProLock's decryptors don't work

ProLock doesn't encrypt files that are smaller than 8KB. For the ones that are larger, it starts the encryption process with the ninth kilobyte. As a result, if you open a file that the ransomware has already encrypted, you'll see that the first parts of it remain in readable form.

Sophos' researchers think that this is the reason why ProLock's decryptors don't work. There have been reports of faulty decryption programs provided by the ProLock operators for a while now, but this is the first time we see a technical explanation of the problem. Sophos' report suggests that security specialists might just be able to retrieve the data after modifying the faulty decryptor, but they point out that it won't be cheap.

It's yet another proof of why you should never do business with cybercriminals. But now that we all know where the problem lies, how likely are the ProLock operators to fix it?

Will the ProLock gang fix their decryptors?

From now on, potential victims who could be bothered to do a simple Google search will know that even if they pay the ransom, they might not get their data back. They will be less likely to cooperate, and you might think that this could make the ransomware operators update their encryption mechanism and fix the issue. The thing is, whether the decryptor works or not could make little difference to them.

Because companies now keep backups of their data, paying the ransom is no longer the only way to retrieve it in the event of a ransomware attack. Last year, cybercriminal gangs targeting organizations realized that they need a second extortion point, and they started stealing information before encrypting it. That way, when a victim refuses to pay for a decryptor, the crooks can threaten to leak tons of sensitive data. Plenty of ransomware crews have done it, and we're now starting to see that it works.

Sophos' report says that the ProLock gang hasn't adopted the strategy yet, but it did point out that they can do it at any time. Organizations that could be targeted by this particular ransomware should be aware of the threat and must take the necessary precautions to strengthen their networks.

July 30, 2020

Leave a Reply