{
	"id": "f24df1da-569b-4398-9a0c-4b4f2d2a745c",
	"created_at": "2026-05-05T02:46:32.068495Z",
	"updated_at": "2026-05-05T02:46:36.857955Z",
	"deleted_at": null,
	"sha1_hash": "f6fdef2c0ec65d1885ad3db0ccebeae553143bbe",
	"title": "ATT\u0026CKing ProLock Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 176533,
	"plain_text": "ATT\u0026CKing ProLock Ransomware\r\nArchived: 2026-05-05 02:15:45 UTC\r\nThe success of enterprise ransomware attacks has motivated more and more threat actors to join the game.\r\nOne of these new players is ProLock ransomware.\r\nThe locker emerged in March 2020 as the successor of PwndLocker, which began operating in late 2019 and was\r\nresponsible for the attack on Illinois’ Lasalle County earlier this year. Their ransoms were always in the six-figure\r\nrange, and it seems that ProLock operators are continuing that trend.\r\nDespite not being around long, ProLock has already made its mark, targeting financial, healthcare, government,\r\nand retail organizations. The group’s first big attack – that we know of, at least – happened at the end of April,\r\nwhen they successfully attacked Diebold Nixdorf – one of the major ATM providers.\r\nIn this post I’ll tell you all you need to know about the new player’s main tactics, techniques and procedures\r\n(TTPs). After, I give a complete outline of the MITRE ATT\u0026CK mapping as it pertains to ProLock.\r\nInitial Access\r\nProLock operators used two main vectors of initial access: QakBot (Qbot) and unprotected Remote Desktop\r\nProtocol (RDP)-servers with weak credentials.\r\nThe latter is a fairly common technique among ransomware operators. This kind of access is usually bought from\r\na third party but may be obtained by group members as well.\r\nThe more interesting initial access vector is QakBot, a trojan that was at one point affiliated with the MegaCortex\r\nransomware family.\r\nTypically, QakBot is distributed via phishing campaigns. Phishing emails may contain attachments of weaponized\r\nMicrosoft Office documents or just links to such documents that are located on cloud storage – Microsoft\r\nOneDrive, for example.\r\nQakBot is also known to be loaded by Emotet, a trojan notorious for its connection with Ryuk operators.\r\nExecution\r\nOnce weaponized document is downloaded and opened by the victim, malicious macros is enabled, PowerShell is\r\nlaunched and used to download and run QakBot payload from the C2 server.\r\nhttps://www.group-ib.com/blog/prolock\r\nPage 1 of 6\n\nIt’s important to note here that the same can be said about ProLock: the payload is extracted from a BMP or JPG\r\nfile, and is loaded into memory with PowerShell. In some cases, a scheduled task is used to run PowerShell:\r\nschtasks.exe /CREATE /XML C:\\Programdata\\WinMgr.xml /tn WinMgr schtasks.exe /RUN /tn WinMgr del\r\nC:\\Programdata\\WinMgr.xml del C:\\Programdata\\run.bat\r\nPersistence\r\nIn case of RDP access, valid accounts are used to gain persistence in the network. QakBot, on the other hand, uses\r\nmultiple persistence mechanisms – most often Run keys and scheduled tasks:\r\nFigure 1: Qakbot gained persistence via Run key\r\nIn some cases, startup folders are also used: a shortcut is placed in the folder that points to the loader.\r\nDefense Evasion\r\nQBot has a neat trick that lets it avoid detection: it checks for the newest version of itself, and replaces the current\r\nversion with the new one. Executable files are signed with a stolen or fake signature. The initial payload,\r\ndownloaded by PowerShell, is stored on the server with a PNG extension. What’s more, is that it’s replaced with\r\nthe legitimate file calc.exe after execution.\r\nTo evade detection, QakBot also uses explorer.exe to execute a process injection technique.\r\nAs already mentioned, the ProLock payload is hidden inside a BMP or JPG file and may be considered a defense\r\nevasion technique as well.\r\nCredential Access\r\nQakBot has keylogging capabilities but is also able to download and run additional scripts like Invoke-Mimikatz,\r\na PowerShell version of the notorious Mimikatz. This enables the adversary to employ the credential dumping\r\ntechnique.\r\nDiscovery\r\nOnce privileged credentials are obtained, ProLock operators start network discovery activities. They include, but\r\nare not limited to, port scanning and Active Directory reconnaissance.\r\nIn addition to a wide variety of scripts, attackers use AdFind – another popular tool used by many ransomware\r\ngroups – to query Active Directory.\r\nLateral Movement\r\nhttps://www.group-ib.com/blog/prolock\r\nPage 2 of 6\n\nMany adversaries favor RDP to move laterally across networks, and ProLock is no exception. Attackers even have\r\nbatch scripts in their arsenals to enable RDP access on the target hosts:\r\nreg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\" /v \"fDenyTSConnections\" /t REG_DWORD\r\nnetsh advfirewall firewall set rule group=\"Remote Desktop\" new enable=yes\r\nreg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v \"UserAuthentic\r\nFor remote script execution, ProLock operators use PsExec from Sysinternals Suite, another common tool.\r\nTo run ProLock on hosts, attackers used WMIC – a command line interface for Windows Management\r\nInstrumentation – which is also becoming increasingly popular among ransomware operators.\r\nCollection\r\nJust like many other groups, ProLock operators collect data from compromised networks to improve their chances\r\nof fulfilling their ransom demands. Prior to exfiltration, collected data is archived with 7Zip.\r\nExfiltration\r\nFor exfiltration, ProLock operators use Rclone, a command line tool capable of synching files to and from\r\ndifferent cloud storage providers, such as OneDrive, Google Drive, Mega, etc. The executable is always renamed\r\nto resemble legitimate system binaries.\r\nUnlike their peers, though, ProLock operators still don’t have a website where they publish exfiltrated data from\r\ncompanies that refuse to pay the ransom.\r\nImpact\r\nOnce the data is exfiltrated, the group deploys ProLock enterprise-wide. PowerShell is used to extract the binary\r\nfrom a PNG or a JPG file and inject it into the memory:\r\nhttps://www.group-ib.com/blog/prolock\r\nPage 3 of 6\n\nFigure 4: PowerShell script\r\nFirst, ProLock kills processes from embedded list (what’s interesting is that it uses only six letters from the\r\nprocess name, like “winwor”) and stops services, including security-related ones like CSFalconService\r\n(CrowdStrike Falcon), via the net stop command.\r\nThen, like many other ransomware families, it uses vssadmin to remove Volume Shadow Copies and limit their\r\nsize, so no new copies are created:\r\nvssadmin.exe delete shadows /all /quiet\r\nvssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB\r\nvssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded\r\nProLock adds .proLock, .pr0Lock or .proL0ck extension to each encrypted file, and drops [HOW TO\r\nRECOVER FILES].TXT to each folder – a file with instructions on how to decrypt files, including the link to the\r\nwebsite, where the victim should enter the unique ID and get payment information:\r\nFigure 3: ProLock Ransom Note\r\nhttps://www.group-ib.com/blog/prolock\r\nPage 4 of 6\n\nEach ProLock sample has an embedded ransom amount – in this case it was 35 Bitcoin, or approximately\r\n$312 000.\r\nSummary\r\nAs you can see, ProLock uses many similar techniques as other ransomware operators to achieve their\r\ngoals. At the same time, however, the group does have its own unique approach. With more and more cybercrime\r\ngroups showing interest in enterprise ransomware deployment campaigns, some operators may be involved in\r\ndeploying different ransomware families, so we’ll likely see more overlaps in tactics, techniques and procedures.\r\nMITRE ATT\u0026CK Mapping\r\nTactic Technique\r\nInitial Access\r\n(TA0001)\r\nExternal Remote Services (T1133), Spearphishing Attachment (T1193), Spearphishing\r\nLink (T1192)\r\nExecution\r\n(TA0002)\r\nPowershell (T1086), Scripting (T1064), User Execution (T1204), Windows\r\nManagement Instrumentation (T1047)\r\nPersistence\r\n(TA0003)\r\nRegistry Run Keys / Startup Folder (T1060), Scheduled Task (T1053), Valid Accounts\r\n(T1078)\r\nDefense Evasion\r\n(TA0005)\r\nCode Signing (T1116), Deobfuscate/Decode Files or Information (T1140), Disabling\r\nSecurity Tools (T1089), File Deletion (T1107), Masquerading (T1036), Process\r\nInjection (T1055)\r\nCredential Access\r\n(TA0006)\r\nCredential Dumping (T1003), Brute Force (T1110), Input Capture (T1056)\r\nDiscovery\r\n(TA0007)\r\nAccount Discovery (T1087), Domain Trust Discovery (T1482), File and Directory\r\nDiscovery (T1083), Network Service Scanning (T1046), Network Share Discovery\r\n(T1135), Remote System Discovery (T1018)\r\nLateral Movement\r\n(TA0008)\r\nRemote Desktop Protocol (T1076), Remote File Copy (T1105), Windows Admin\r\nShares (T1077)\r\nCollection\r\n(TA0009)\r\nData from Local System (T1005), Data from Network Shared Drive (T1039), Data\r\nStaged (T1074)\r\nCommand and\r\nControl (TA0011)\r\nCommonly Used Port (T1043), Web Service (T1102)\r\nExfiltration\r\n(TA0010)\r\nData Compressed (T1002), Transfer Data to Cloud Account (T1537)\r\nImpact (TA0040) Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490)\r\nhttps://www.group-ib.com/blog/prolock\r\nPage 5 of 6\n\nThe global pandemic has forced many people to work from home. Transitioning employees to remote work creates\r\nadditional cybersecurity risks. Many cybercriminals are exploiting the crisis and ransomeware operators are not\r\nan exception. INTERPOL’s Cybercrime team tracked a surge in ransomware attacks amid COVID19. Group-IB\r\nDFIR experts prepared 10 Recommendations for preventing ransomware attacks accessible here.\r\nSource: https://www.group-ib.com/blog/prolock\r\nhttps://www.group-ib.com/blog/prolock\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/prolock"
	],
	"report_names": [
		"prolock"
	],
	"threat_actors": [],
	"ts_created_at": 1777949192,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f6fdef2c0ec65d1885ad3db0ccebeae553143bbe.pdf",
		"text": "https://archive.orkl.eu/f6fdef2c0ec65d1885ad3db0ccebeae553143bbe.txt",
		"img": "https://archive.orkl.eu/f6fdef2c0ec65d1885ad3db0ccebeae553143bbe.jpg"
	}
}