The ProLock Ransomware Partners With Qakbot to Attack Corporate Networks

ProLock is a relatively new name on the ransomware scene, and in light of this, it's no surprise that the people behind it are more interested in hitting corporations rather than individual users. A while ago, the focus was moved away from Joe Average and was placed squarely on businesses, financial institutions, government and even healthcare organizations, and for the time being, at least, there appears to be no going back. The different targets present different challenges, however, and one of the main ones is the initial infection vector.

In the past, the ransomware infection chain was pretty straightforward. A large botnet would fire off a massive number of spam emails. Attached to them would be macro-laced Word documents, which the users would open thanks to some social engineering tricks. The malicious files would silently install the ransomware, and the extortion operation would begin. For individual users, this works very well, but in a corporate environment, the employees are likely to be better trained, and the spam filters are likely to be stricter, all of which could thwart such attacks.

As a result, ransomware operators are forced to look for other ways of compromising their targets' networks. The people running the ProLock ransomware have apparently found the answer in another malware family called Qakbot.

ProLock uses Qakbot as a dropper

Yesterday, ZDNet shared an FBI flash alert from earlier this month according to which ProLock compromises some of its victims' networks with Qakbot's help. Last week, researchers from Group-IB confirmed that they, too, have seen Qakbot install ProLock on hacked systems. This might mean that the people who have developed Qakbot are also responsible for ProLock, but the truth is, the partnership could also be the result of an agreement between two unrelated cybercriminal gangs.

One thing is certain – the use of Qakbot as a dropper definitely has its advantages. While ProLock is still trying to make a name for itself, Qakbot has already infected quite a lot of computers all around the world, which means that the ransomware operators can be spared the chore of creating convincing phishing campaigns or looking for vulnerable RDP configurations. In addition to this, Qakbot has clever detection evasion mechanisms, and it could also help with a very important part of ProLock's operation.

As you may have heard already, many ransomware crews now steal data in addition to encrypting it. That way, even if the target refuses to pay for a decryptor, the crooks can still threaten to leak the sensitive information unless a ransom is paid. ProLock has its own data exfiltration mechanisms, but thanks to Qakbot's keylogging and password stealing capabilities, the amount of pilfered information could be much more substantial. The specialists didn't point out whether the partnership spans beyond the initial installation, but Qakbot might just be able to help ProLock move laterally within the compromised network as well.

All in all, ProLock has teamed up with a very advanced piece of malware. Which, by the way, is more than can be said about ProLock itself.

The ProLock ransomware has had a difficult birth

ProLock's first incarnation was actually called PwndLocker. It appeared in late-2019, and it immediately set about wreaking some havoc. After grabbing a few headlines, PwndLocker caught the attention of researchers from Emsisoft, who quickly found an error in the ransomware's encryption mechanism. In early March, the security experts released a free decryptor for PwndLocker victims.

The crooks went back to their code, fixed the error, and gave their ransomware a new name – ProLock. The researchers have yet to find a way of beating the mended encryption mechanism, but unfortunately, the ProLock gang also appears to be having trouble restoring the data of companies who have paid the ransom.

When companies yield to the extortion attempts and transfer the bitcoins, they receive a decryption program from the crooks, which should theoretically restore all the files back to their original state. In reality, however, reports suggest that ProLock's decryptor is corrupting some of the larger files.

In addition to suffering the financial losses (which depend on the target but are never insignificant), ProLock victims also lose their data, which once again highlights the risks associated with negotiating with crooks. Make sure your organization backs up is files regularly and don't fuel the cybercriminals' business by complying with the ransomware operators' demands.