{
	"id": "8c15863d-6029-4c1c-842f-a48a89def5a9",
	"created_at": "2026-04-06T00:12:59.360394Z",
	"updated_at": "2026-04-10T13:12:53.702896Z",
	"deleted_at": null,
	"sha1_hash": "d896b216a78dac1f8426a4da0d00c473c9924846",
	"title": "ProLock ransomware increases payment demand and victim count",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4176819,
	"plain_text": "ProLock ransomware increases payment demand and victim count\r\nBy Ionut Ilascu\r\nPublished: 2020-09-10 · Archived: 2026-04-05 21:22:15 UTC\r\nUsing standard tactics, the operators of ProLock ransomware were able to deploy a large number of attacks over the past six\r\nmonths, averaging close to one target every day.\r\nFollowing a failed start in late 2019, under the name PwndLocker, due to a crypto bug that allowed unlocking the files for\r\nfree, the operators rebooted the operation with fixing the flaw and renaming the malware to ProLock.\r\nFrom the beginning, the threat actor aimed high, targeting enterprise networks and demanding ransoms between $175,000 to\r\nmore than $660,000.\r\nhttps://www.bleepingcomputer.com/news/security/prolock-ransomware-increases-payment-demand-and-victim-count/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/prolock-ransomware-increases-payment-demand-and-victim-count/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nA fresh start in March under the ProLock label also meant increased activity and larger ransoms. Since then, the average\r\nfigure swelled to $1.8 million, indicates incident response data from cybersecurity company Group-IB.\r\nSimple, efficient tactics\r\nThe threat actor has no preference for its targets or the sector of their activity as long as they are companies with big\r\nnetworks, able to pay a higher ransom. So far, the focus seems to be on businesses in Europe and North America.\r\nFor the past half-year, Group-IB detected more than 150 ProLock operations, the most recent victim being asked 225\r\nBitcoins (more than $2,3 million at current value).\r\nThe group’s tactics, techniques, and procedures are simple and effective, the partnership with QakBot (QBot) banking trojan\r\nallowing them to map the network, move laterally, ultimately deploy the ransomware.\r\nBetween the initial compromise and running the file-encryption routine, the actor spends about a month on the network,\r\ngathering information for better targeting and exfiltrating data (via Rclone).\r\nRunning ProLock on the target network is the last step of the attack, which typically starts with a spear-phishing email\r\ncontaining weaponized VBScripts and Office documents that deliver QakBot, oftentimes via replies in hijacked email\r\nthreads.\r\nGroup-IB found that many times the VBScripts for downloading QakBot are very large, weighing even 40MB, to bypass\r\nsecurity solutions that skip scanning large files.\r\nOnce on the target host, QakBot establishes persistence and makes sure that active defenses don’t spot it by modifying\r\nWindows Registry to add its binaries on the list of Windows Defender exclusions.\r\n“QakBot also collects a lot of information about the infected host, including the IP address, hostname, domain, and list of\r\ninstalled programs. Thanks to this information, the threat actor acquires a basic understanding of the network and can plan\r\npost-exploitation activities” - Group-IB\r\nWith tools like Bloodhound and ADFind, the threat actor profiles the environment to distribute the banking trojan to other\r\nhosts on the network. In some cases, this was done manually using PsExec, suggesting a strong connection between\r\nProLock and QakBot operators.\r\nhttps://www.bleepingcomputer.com/news/security/prolock-ransomware-increases-payment-demand-and-victim-count/\r\nPage 3 of 5\n\nMoving laterally also involved the use of remote desktop (RDP), and when this was not available on a machine, the actor\r\nran the following batch script via PsExec to enable the remote connection:\r\nProLock’s toolkit includes Mimikatz post-exploitation tool for penetration testers, which is deployed through Cobalt strike\r\nsoftware for red team engagements.\r\nGroup-IB found that the ransomware actor sometimes relies on a vulnerability in Windows (CVE-2019-0859) that enables\r\nthem to escalate privileges on compromised systems.\r\nAccording to the report today, the file-encrypting malware lands on the host either via QakBot, downloaded with the\r\nBackground Intelligent Transfer Service (BITS) from the attacker's server or by executing a script using Windows\r\nManagement Instrumentation (WMIC) on a remote host.\r\nDespite using standard tools, ProLock attacks remain largely undetected on the network, giving them time to prepare the file\r\nencryption stage and steal data.\r\nAttacks from this threat actor have intensified lately, causing the FBI to release two FLASH Alerts about this actor this year\r\n[1, 2]. In the first one, the agency warns that the ProLock decryption tool may cause data loss because it does not work\r\nproperly all the time.\r\nGroup-IB said that they could not verify this statement because they're none of their customers had to pay the ransom.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/prolock-ransomware-increases-payment-demand-and-victim-count/\r\nPage 4 of 5\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/prolock-ransomware-increases-payment-demand-and-victim-count/\r\nhttps://www.bleepingcomputer.com/news/security/prolock-ransomware-increases-payment-demand-and-victim-count/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/prolock-ransomware-increases-payment-demand-and-victim-count/"
	],
	"report_names": [
		"prolock-ransomware-increases-payment-demand-and-victim-count"
	],
	"threat_actors": [],
	"ts_created_at": 1775434379,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d896b216a78dac1f8426a4da0d00c473c9924846.pdf",
		"text": "https://archive.orkl.eu/d896b216a78dac1f8426a4da0d00c473c9924846.txt",
		"img": "https://archive.orkl.eu/d896b216a78dac1f8426a4da0d00c473c9924846.jpg"
	}
}