{
	"id": "69ead0b6-bfc0-4788-9602-ad83de173691",
	"created_at": "2026-04-06T02:12:11.117527Z",
	"updated_at": "2026-04-10T13:11:28.797435Z",
	"deleted_at": null,
	"sha1_hash": "4729dfffe21a5d38f2e82bed96820abee3dbe6a6",
	"title": "ProLock Ransomware teams up with QakBot trojan for network access",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2039565,
	"plain_text": "ProLock Ransomware teams up with QakBot trojan for network access\r\nBy Ionut Ilascu\r\nPublished: 2020-05-14 · Archived: 2026-04-06 02:10:19 UTC\r\nProLock is a relatively new malware on the ransomware  scene but has quickly attracted attention by targeting businesses\r\nand local governments and demanding huge ransoms for file decryption.\r\nIts most recent victim is Diebold Nixdorf, mostly known for providing automated teller machines (ATMs).\r\nThis attack was caught before the encryption stage and did not impact these systems; it did cause some disruptions as it\r\naffected the corporate network.\r\nhttps://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAverage prices\r\nThis ransomware family started as PwndLocker but it was rebranded to ProLocker in March after the developers fixed a bug\r\nthat allowed free decryption of the files.\r\nAccording to research conducted by BleepingComputer, ProLock demands ransoms ranging between $175,000 to over\r\n$660,000 depending on the size of the network.\r\nHowever, the skills and techniques seen with ProLock operators are similar to those of high-profile ransomware groups such\r\nas Sodinokibi and Maze, BleepingComputer learned from Oleg Skulkin, Senior Digital Forensics Analyst at Group-IB. a\r\nSingapore-based cybersecurity company.\r\nVictims breached via QakBot and RDP\r\nThe researcher says that these groups may intersect through third-party individuals providing operational support\r\n(distribution, initial breach, lateral movement).\r\nSkulkin presented in a report today ProLock’s tactics, techniques, and procedures (TTP), in the hope of better understanding\r\nand defending against this threat actor.\r\nTo breach victims, ProLock relies on two main vectors: distribution via QakBot (QBot) - previously affiliated with\r\nMegaCortex ransomware, and access via public-facing remote desktop (RDP) servers.\r\n“Access via public-facing RDP-server is a very common technique used by many ransomware operators. Commonly this\r\nkind of access is bought from the third party, but may be obtained by some of group members as well” - Oleg Skulkin\r\nSimilar to how Ryuk works with TrickBot and DoppelPaymer/BitPaymer work with Dridex for access to networks, ProLock\r\nis working with QakBot to gain access.\r\nQakBot is a banking trojan that spreads via phishing campaigns that deliver malicious Microsoft Word documents, usually\r\nto businesses. Emotet botnet was seen distributing this malware.\r\nThe researcher points out that both QakBot and ProLock rely on PowerShell to get the payload running. For the banking\r\nmalware, malicious macros are employed for the task, while for the ransomware the code is extracted from a JPG or BMP\r\nimage file.\r\nimage with ProLock binary\r\nIf ProLock operators use RDP access to reach their victim, persistence is established using valid accounts. With QakBot,\r\nmultiple methods are used but popular ones rely on Run keys and scheduled tasks.\r\nhttps://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access/\r\nPage 3 of 5\n\nAccording to data from Group-IB, it takes about a week before QakBot makes room for ProLock. Skulkin told us that the\r\ntrojan does not install the ransomware but downloads batch scripts from cloud storage repositories and executes them.\r\nLateral movement and file exfiltration\r\nLateral movement activity begins after the operators obtain credentials to some servers. Usually, RDP access for\r\nreconnaissance is enabled through the scripts, which are executed with PsExec.\r\nThe ransomware is later deployed using the command line interface for Windows Management Instrumentation (WMI).\r\nAligning to the current trend, ProLock operators steal data from a compromised network. The files are archived with 7-zip\r\nand uploaded to various cloud storage spaces (OneDrive, Google Drive, Mega) using Rclone, a command line program that\r\nsyncs data with an impressive number of cloud storage services.\r\nAfter exfiltration, the operators execute a PowerShell script to extract the ProLock binary embedded in an image file and\r\nunleash it across the enterprise network to encrypt data on reachable systems.\r\nEach encrypted file has the ransomware mark (extensions .proLock, .pr0Lock, .proL0ck, .key, or .pwnd) and recovery\r\ninstructions are provided in a text file dropped in every folder.\r\nSkulkin says that ProLock does not have a “leak site” at the moment, although this may change in the near future.\r\nGroup-IB's report is available here and includes MITRE ATT\u0026CK (Adversarial Tactics, Techniques \u0026 Common\r\nKnowledge) knowledge.\r\nhttps://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access/\r\nhttps://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access/"
	],
	"report_names": [
		"prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access"
	],
	"threat_actors": [],
	"ts_created_at": 1775441531,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4729dfffe21a5d38f2e82bed96820abee3dbe6a6.pdf",
		"text": "https://archive.orkl.eu/4729dfffe21a5d38f2e82bed96820abee3dbe6a6.txt",
		"img": "https://archive.orkl.eu/4729dfffe21a5d38f2e82bed96820abee3dbe6a6.jpg"
	}
}