A Prolock Ransomware has been used recently for attacks on the US Government and other financial institutes along with healthcare facilities. The FBI has been clear that this Ransomware was used for the attacks, while Prolock is among the world’s largest supplier of ATMs and technology providers for Payments.
Earlier this month, the US FBI issued a warning about a new sample of ProLock ransomware used in attacks on government and financial institutions, healthcare facilities and retail businesses. Last week, the victim ProLock became the largest US and one of the world’s largest supplier of ATMs and technologies to make payments Diebold Nixdorf. Discovered in March 2020, ProLock is the so-called “human-driven ransomware.” This type includes malware installed manually by cybercriminals in corporate networks after the initial compromise. According to the FBI, in the case of ProLock, the ransomware enters the network using the Qakbot Trojan (Qbot). Group-IB specialists have confirmed this fact.
Collaboration between different cybercriminal groups is not uncommon. For example, the ransomware Ryuk and Maze infected the victims’ systems through TrickBot, and the DopplePaymer software got onto computers that were originally infected with Dridex. At the time of writing, it was unclear whether the authors of ProLock are also the creators of Qakbot. It is possible that Qakbot operators lease ProLock authors access to the hacked corporate network as part of the Crimeware-as-a-Service business model.
According to the FBI warning, the ransomware recovery tool provided by ransomware in exchange for a cash reward does not work properly. The decryptor damages files that are larger than 64 MB, so victims of ProLock are highly discouraged from paying a ransom.