Threat Watch

ProLock Decryptor May Corrupt Large Files

According to information received by Bleeping Computer, the FBI is warning victims of the ProLock ransomware that the decryptor may not be working correctly. Files over 64MB could become corrupted while decrypting and files over 100 MB can lose one byte per 1KB decrypted. This means that even victims who choose to pay the ransom may still lose access to critical files due to bugs in the decryption software provided by the ransomware operators.

Recently renamed, ProLock got its start as PwnedLocker in 2019. ProLock is currently known to spread via Qakbot infection or through exposed Remote Desktop Protocol (RDP) with weak credentials. Using previously stolen credentials or ones obtained through Qakbot, the ProLock operators use PsExec to execute scripts on remote hosts. Before installing the ransomware, open-source application Rclone is used to exfiltrate stolen data after it has been compressed using 7zip. Finally, the group attempts to deploy the ransomware across the entire organization by using PowerShell to inject a binary into memory after it is extracted from either a JPG or a PNG file.

ANALYST NOTES

As always, Binary Defense never recommends paying the ransom. There is never a guarantee of getting files back, and some decryptors like the one offered by ProLock are known to have flaws that can corrupt files during recovery. With the recent data theft and extortion trend from some ransomware groups, all ransomware incidents should be treated as data breaches as well. The 3-2-1 method of backing up data is a great way to ensure no data is lost during a ransomware infection. Keep three copies of the data on two separate devices with one of the devices stored off-site. It is far better to detect an intrusion early and stop ransomware from being deployed, rather than have to recover from backups afterward. Organizations should monitor security events around the clock, or employ managed security services such as the Binary Defense Security Operations Center (SOC) for 24/7 monitoring to quickly detect, contain and alert security teams to threats like this before they spread too far.
Sources: https://www.bleepingcomputer.com/news/security/fbi-warns-of-prolock-ransomware-decryptor-not-working-properly/

https://www.group-ib.com/blog/prolock