{ "id": "d72eb755-e2b4-4e9e-a84f-43d90295b028", "created_at": "2026-04-10T03:20:45.33312Z", "updated_at": "2026-04-10T03:22:18.246038Z", "deleted_at": null, "sha1_hash": "a3e77b80b1edd488a068b46b396c4c02cedf5cfe", "title": "FBI: ProLock ransomware gains access to victim networks via Qakbot infections", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 855085, "plain_text": "FBI: ProLock ransomware gains access to victim networks via\r\nQakbot infections\r\nBy Catalin Cimpanu\r\nPublished: 2020-05-18 ยท Archived: 2026-04-10 02:48:01 UTC\r\nImage: FBI, ZDNet, Florian Krumm\r\nThe FBI has issued a security alert earlier this month about a new ransomware strain named ProLock that has been\r\ndeployed in intrusions at healthcare organizations, government entities, financial institutions, and retail\r\norganizations.\r\nFirst spotted in March 2020, ProLock is part of the category of \"human-operated ransomware.\"\r\nThese are ransomware strains that are installed manually on the networks of hacked companies. Hacker gangs\r\nbreach or rent access to a hacked network, take manual control of the infected host, spread laterally through the\r\nnetwork, and then deploy the ransomware after they've maximized their access.\r\nIn the case of ProLock, the FBI says this group gains access to hacked networks via the Qakbot (Qbot) trojan.\r\nCyber-security firm Group-IB reported seeing the same thing last week.\r\nThis relationship between the operator of a malware dropper and a ransomware gang is not unique. It's been seen\r\nbefore with the Ryuk and Maze ransomware strains being installed on computers previously infected with\r\nTrickBot, and with DopplePaymer strains being dropped on computers infected with Dridex.\r\nAt the time of writing, it is unclear if the ProLock ransomware was created and managed by the Qakbot gang, or if\r\nthe ProLock gang rents access to Qakbot-infected hosts part of a Crimeware-as-a-Service scheme.\r\nTaking into account the FBI and Group-IB reports, this now also means that computers inside an organization\r\nthat have been found to be infected with Qakbot must be isolated from the rest of the network as soon as\r\nhttps://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/\r\nPage 1 of 2\n\npossible, as they can serve as entry points for a ransomware gang.\r\nProLock decrypter not working properly\r\nIn addition to warning about the relationship between Qakbot and ProLock, the FBI also warned victims about\r\nbugs in the ProLock decrypter, the app the ProLock gang provides victims in order to decrypt their files after\r\npaying the ransom.\r\n\"The decryption key or 'decryptor' provided by the attackers upon paying the ransom has not routinely executed\r\ncorrectly,\" the FBI said.\r\n\"The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of\r\napproximately 1 byte per 1KB over 100MB.\"\r\nThe FBI says that the decrypter may sometimes need to be modified to work correctly, incurring additional costs\r\nfrom lost business to organizations. This is reminiscent of the decryption bugs previously found in the Ryuk\r\nransomware.\r\nThe ProLock ransomware was first spotted in March 2020. It initially went under the name of PwndLocker but\r\nrebranded into ProLock after Emsisoft found a way to decrypt files locked by the first version.\r\nSources told ZDNet that the FBI sent the flash alert to US organizations after ATM giant Diebold Nixdorf was\r\ninfected with ProLock at the end of April.\r\nA copy of the FBI flash security alert can be found here.\r\nEditorial standards\r\nSource: https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/\r\nhttps://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/" ], "report_names": [ "fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections" ], "threat_actors": [], "ts_created_at": 1775791245, "ts_updated_at": 1775791338, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a3e77b80b1edd488a068b46b396c4c02cedf5cfe.pdf", "text": "https://archive.orkl.eu/a3e77b80b1edd488a068b46b396c4c02cedf5cfe.txt", "img": "https://archive.orkl.eu/a3e77b80b1edd488a068b46b396c4c02cedf5cfe.jpg" } }