{
	"id": "f9cc6c17-c989-4a4c-b932-528a4d929bd7",
	"created_at": "2026-04-06T00:20:19.074401Z",
	"updated_at": "2026-04-10T03:21:15.393655Z",
	"deleted_at": null,
	"sha1_hash": "2fb1470f0dffa77f65c501d8f889c86a720adc81",
	"title": "FBI issues second alert about ProLock ransomware stealing data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4924986,
	"plain_text": "FBI issues second alert about ProLock ransomware stealing data\r\nBy Sergiu Gatlan\r\nPublished: 2020-09-04 · Archived: 2026-04-05 20:21:57 UTC\r\nImage: Kushagra Kevat\r\nThe FBI issued a second warning this week to alert US companies of ProLock ransomware operators stealing data from\r\ncompromised networks before encrypting their victims' systems.\r\nThe 20200901-001 Private Industry Notification seen by BleepingComputer on September 1st comes after the MI-000125-\r\nMW Flash Alert on the same subject issued by the FBI four months ago, on May 4th, 2020.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-issues-second-alert-about-prolock-ransomware-stealing-data/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fbi-issues-second-alert-about-prolock-ransomware-stealing-data/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nFBI's previous alert also warned private industry partners that ProLock's decryptor is not working properly and that data will\r\nbe lost since files over 64MB might be corrupted as part of the decryption process.\r\nProLock ransomware started as PwndLocker during late 2019, slowly making a reputation for itself while targeting both US\r\nbusinesses and local governments.\r\nPwndLocker rebranded itself as ProLocker in March after fixing a bug that allowed free decryption of locked files, and its\r\nactivity started to escalate as it started targeting corporate networks again.\r\nThe boost in activity was most likely caused by partnering with the QakBot banking trojan gang which made it a lot easier to\r\ngain access to new victims' networks.\r\nProLock Tor payment site\r\nProLock ransoms can reach almost $700K\r\nThe operators behind the human-operated ProLock ransomware have been harvesting and exfiltrating information from their\r\nvictims' devices before deploying their payloads since March 2020 according to the FBI.\r\nThe stolen data is later used by the threat actors as leverage in persuading the victim organizations into paying ransoms\r\nranging between $175,000 to more than $660,000 depending on the size of the compromised network as BleepingComputer\r\nfound.\r\nSo far, ProLock has successfully encrypted the networks of organizations around the world from multiple industry sectors\r\nincluding healthcare, construction, finance, and legal, including US government agencies and industrial entities.\r\nProLock's operators have used several attack vectors to breach their victims' systems including phishing emails with QakBot\r\nmalicious attachments, using stolen credentials, and exploiting system configuration flaws.\r\nThe threat actors were observed archiving the stolen data and uploading to cloud storage platforms including OneDrive,\r\nGoogle Drive, and Mega with the help of the Rclone cloud storage sync command-line tool.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-issues-second-alert-about-prolock-ransomware-stealing-data/\r\nPage 3 of 5\n\nProLock ransom note\r\nVictims encouraged not to pay the ransoms\r\nThe FBI encourages private industry partners affected by ProLock ransomware attacks not to give in to the threat actors'\r\ndemands and pay the ransoms.\r\nDoing so would only embolden them to target other victims and will also directly fund their future illicit operations as the\r\nFBI explained.\r\nHowever, the FBI recognizes the damages companies could face following such attacks and urges victims to report the\r\nattacks as soon as possible after having their systems infected with ProLock ransomware regardless of their decision to pay\r\nfor a decryptor or not.\r\nReporting the attack to the local FBI field office to provide attack-related information such as phishing emails, recovered\r\nransomware samples, ransom notes, and network traffic logs could help counter other attacks, as well as to identify and hold\r\nthe attackers accountable for their activity.\r\nThe FBI recommends US orgs to periodically back up their data to an off-line/off-site backup location and to always keep\r\ntheir software up to date to patch any newly discovered security flaws the ProLock operators could exploit.\r\nThey are also recommended to make use of two-factor authentication (2FA) wherever possible, to disable unused Remote\r\nDesktop Protocol (RDP) instances, and to disable automatic attachment downloads in email clients.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-issues-second-alert-about-prolock-ransomware-stealing-data/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fbi-issues-second-alert-about-prolock-ransomware-stealing-data/\r\nhttps://www.bleepingcomputer.com/news/security/fbi-issues-second-alert-about-prolock-ransomware-stealing-data/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fbi-issues-second-alert-about-prolock-ransomware-stealing-data/"
	],
	"report_names": [
		"fbi-issues-second-alert-about-prolock-ransomware-stealing-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775434819,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2fb1470f0dffa77f65c501d8f889c86a720adc81.pdf",
		"text": "https://archive.orkl.eu/2fb1470f0dffa77f65c501d8f889c86a720adc81.txt",
		"img": "https://archive.orkl.eu/2fb1470f0dffa77f65c501d8f889c86a720adc81.jpg"
	}
}