{
	"id": "a244ea9c-8f68-428f-826b-9646206c7275",
	"created_at": "2026-04-06T00:09:12.474089Z",
	"updated_at": "2026-04-10T03:21:58.317223Z",
	"deleted_at": null,
	"sha1_hash": "3344feff8beac21802e39c52c1967dd0c844815d",
	"title": "ProLock ransomware - everything you need to know",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 314820,
	"plain_text": "ProLock ransomware - everything you need to know\r\nBy Written by Catalin Cimpanu, ContributorContributor Sept. 10, 2020 at 1:00 a.m. PT\r\nArchived: 2026-04-05 18:12:02 UTC\r\nImage: Group-IB\r\nExecutive guide\r\nSince the start of the year, a new ransomware gang named ProLock has made a name for itself by hacking into\r\nlarge companies and government networks, encrypting files, and demanding huge ransom payments.\r\nProLock is the latest ransomware gang that has adopted the \"big-game hunting\" approach to its operations. Big-game hunting refers to going after larger targets in order to extract big payments from victims who can afford it.\r\nSystem administrators who manage these larger networks are most likely to see attacks from this particular group.\r\nBelow is a short summary of all ProLock activities that system administrators need to be aware of, based on\r\nreports published by Group-IB, Sophos, and two FBI alerts [1, 2].\r\nProLock's start\r\nThe ProLock gang began its activity (attacks) in late 2019. They initially operated under the name of PwndLocker\r\nbut rolled out a major code upgrade and changed their name to ProLock in March 2020, after security researchers\r\nidentified a bug in the original PwndLocker strain and released a free decrypter.\r\nDistribution\r\nhttps://www.zdnet.com/article/prolock-ransomware-everything-you-need-to-know/\r\nPage 1 of 3\n\nIn most of the incidents analyzed by security researchers, the ProLock ransomware was deployed on networks that\r\nhave been previously infected with the Qakbot trojan.\r\nThe Qakbot trojan is distributed via email spam campaigns or is dropped as a second-stage payload on computers\r\npreviously infected with the Emotet trojan. System administrators who find computers infected with either of\r\nthese two malware strains should isolate systems and audit their networks, as the ProLock gang could be already\r\nwandering around their systems.\r\nLateral movement\r\nBut since the ProLock gang usually buys access to one Qakbot-infected computer and not entire networks, they\r\nalso have to expand their access from this initial entry point to other nearby computers, for maximum damage.\r\nThis operation is called \"lateral movement,\" and there are various ways the ProLock gang does this.\r\nGroup-IB says ProLock uses the CVE-2019-0859 Windows vulnerability to gain administrator-level access on\r\ninfected hosts and then deploys the MimiKats tool to dump credentials from the infected system.\r\nDepending on what they find, the ProLock gang can use these credentials to move laterally across a network via\r\nRDP, SMB, or via the local domain controller.\r\nWMIC is used at the last moment to push the actual ransomware to all compromised hosts, where it encrypts files,\r\nand according to Sophos, plays the OS alert tone at the end to signal the end of the encryption routine.\r\nImpact\r\nAll the operations needed to move laterally across a network are executed by a human operator in front of a\r\nterminal — and are not automated.\r\nAs a result, ProLock incidents usually manage to infect a large number of computers, as the ProLock human\r\noperator bides their time in order to maximize damage.\r\nGroup-IB says this tactic allows the group to demand very high decryption fees from victims, most of which face\r\nprolonged downtimes, in case they decide to rebuild internal networks.\r\n\"The fact that their average ransom demands range anywhere from 35 to 90 Bitcoin (approx. $400,000 to\r\n$1,000,000) only confirms their 'think big' strategy,\" Group-IB said in a private report shared with ZDNet today.\r\nThese sums are below the average ($1.8 million) of some other big-game hunting ransomware gangs, but ProLock\r\nextortions have been gradually increasing in recent months. For example, Group-IB told ZDNet that the recent\r\nProLock case they traced involved a ransom of 225 Bitcoin, which is around $2.3 million.\r\nSome of the group's past victims include big names like ATM maker Diebold Nixdorf, the city of Novi Sad in\r\nSerbia, and Lasalle County in Illinois.\r\nPaying the ransom\r\nhttps://www.zdnet.com/article/prolock-ransomware-everything-you-need-to-know/\r\nPage 2 of 3\n\nBut despite the damage this ransomware group can do, in one of its two alerts, the FBI warned organizations\r\nagainst paying the ransom, as the ProLock decrypter that victims receive doesn't always work as intended, and\r\nusually fails when decrypting larger files.\r\nVictim shaming\r\nFurthermore, ProLock has also been seen in some incidents leaking data from the networks of victims they\r\ninfected, and which refused to pay.\r\nWhile some other ransomware groups have created special sites where they leak this data, ProLock prefers to\r\ndump it on hacking forums or pass it to journalists via email.\r\nAll in all, ProLock appears to be the first ransomware gang that uses Qakbot as an initial entry point, but most of\r\nits other tactics are shared with most other big-game hunting and human-operated ransomware gangs — so,\r\ndefending networks against ProLock should be straightforward for companies that have already taken precautions\r\nagainst the other ransomware groups.\r\nCybersecurity reads for every hacker's bookshelf\r\nSecurity\r\nSource: https://www.zdnet.com/article/prolock-ransomware-everything-you-need-to-know/\r\nhttps://www.zdnet.com/article/prolock-ransomware-everything-you-need-to-know/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/prolock-ransomware-everything-you-need-to-know/"
	],
	"report_names": [
		"prolock-ransomware-everything-you-need-to-know"
	],
	"threat_actors": [],
	"ts_created_at": 1775434152,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3344feff8beac21802e39c52c1967dd0c844815d.pdf",
		"text": "https://archive.orkl.eu/3344feff8beac21802e39c52c1967dd0c844815d.txt",
		"img": "https://archive.orkl.eu/3344feff8beac21802e39c52c1967dd0c844815d.jpg"
	}
}