{
	"id": "fc63c230-c4cc-4394-8ed1-29b96b081e9e",
	"created_at": "2026-04-06T00:09:28.543297Z",
	"updated_at": "2026-04-10T03:21:25.545306Z",
	"deleted_at": null,
	"sha1_hash": "718403f119acfec1ecdb4564564a1aa6056c55fe",
	"title": "FBI warns of ProLock ransomware decryptor not working properly",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2225203,
	"plain_text": "FBI warns of ProLock ransomware decryptor not working properly\r\nBy Ionut Ilascu\r\nPublished: 2020-05-18 · Archived: 2026-04-05 14:25:19 UTC\r\nMultiple actors in the ransomware business saw the new coronavirus pandemic as the perfect opportunity to focus on an\r\nalready overburdened healthcare sector. ProLock is yet another threat to the list.\r\nThe FBI issued a flash alert at the beginning of the month to alert organizations of the new threat actor, saying that its targets\r\nin the US include entities in the following sectors: healthcare, government, financial, and retail.\r\nDecryptor malfunction\r\nThe FBI does not encourage giving in to the demands of any ransomware actor. Doing so would only increase their\r\nconfidence to continue such attacks.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-warns-of-prolock-ransomware-decryptor-not-working-properly/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fbi-warns-of-prolock-ransomware-decryptor-not-working-properly/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nWith ProLock, the decryptor is not working properly and data will be lost. Files larger than 64MB may become corrupted\r\nduring the decryption process.\r\nIntegrity loss of 1 byte per 1KB is possible with files over 100MB and additional work may be needed to make the decryptor\r\nwork properly. This issue will increase the downtime of an organization even they agree to the actor's demands.\r\nThe malware started as PwndLocker in late 2019 but made a reputation by targeting businesses and local governments,\r\nadjusting its ransom demands to the size of the compromised network.\r\nAfter fixing a bug that allowed free decryption, PwndLocker emerged as ProLocker in March and its activity started to\r\nescalate.\r\nGetting in the network\r\nAs cybersecurity company Group-IB points out in a recent report, ProLock has partnered with QakBot banking trojan to\r\nobtain access to victims’ networks; this likely contributed to this ransomware's ascension.\r\nThe trojan does not install this ransomware family but runs a set of scripts to let its operators on the victim network so they\r\ncan map it and move laterally. The payload is extracted from a BMP or JPG file named WinMgr, and is loaded into memory.\r\nLike other ransomware operators, ProLock’s spend some time on the victim network looking for high-value systems and\r\nimportant data to steal. The information is siphoned out using the Rclone a command-line tool for syncing with various\r\ncloud storage services.\r\nThe ransom demand following the encryption comes with the threat that victim data would be released on public websites\r\nand social media unless payment for decryption is not received.\r\nOther methods include misconfigured remote desktop protocol (RDP). For networks with single-factor authentication, the\r\nactor uses stolen logins.\r\nOnce inside, ProLock operators make sure that they leave no option for recovering the files without paying. If backups and\r\nvolume shadow copies are found, they are either deleted or encrypted.\r\nWith ransom demands between $175,000 to over $660,000, ProLock is as serious a threat as other, more infamous\r\nransomware families like Maze, Sodinokibi, Ryuk, or LockerGoga, which are considered top earners in the ransomware\r\nbusiness.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-warns-of-prolock-ransomware-decryptor-not-working-properly/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fbi-warns-of-prolock-ransomware-decryptor-not-working-properly/\r\nhttps://www.bleepingcomputer.com/news/security/fbi-warns-of-prolock-ransomware-decryptor-not-working-properly/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fbi-warns-of-prolock-ransomware-decryptor-not-working-properly/"
	],
	"report_names": [
		"fbi-warns-of-prolock-ransomware-decryptor-not-working-properly"
	],
	"threat_actors": [],
	"ts_created_at": 1775434168,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/718403f119acfec1ecdb4564564a1aa6056c55fe.pdf",
		"text": "https://archive.orkl.eu/718403f119acfec1ecdb4564564a1aa6056c55fe.txt",
		"img": "https://archive.orkl.eu/718403f119acfec1ecdb4564564a1aa6056c55fe.jpg"
	}
}