What is ProLock Ransomware?

Cyber SecurityAnti VirusSafe & Security

A new ransomware group known as ProLock has created a reputation for itself by getting into large companies and government networks, encrypting files, and demanding massive ransom payments since the beginning of the year.

ProLock is the most recent ransomware group to employ a "big-game hunting" strategy in its activities. Big-game hunting refers to pursuing greater prey in order to take significant sums of money from those who can afford it.

Attacks from this category are most likely to be seen by system administrators who handle these larger networks.

How Does ProLock Ransomware Work?

ProLock ransomware encrypts files using the RSA-2048 algorithm, changes filenames, and generates a ransom note. The "proLock" extension is appended to the filenames of all encrypted files by ProLock.

  • According to research, ProLock appends this extension multiple times, which could indicate that it encrypts files multiple times. It leaves ransom messages in files called "[HOW TO RECOVER FILES].txt," which victims can locate in encrypted data directories.

  • ProLock's ransom emails claim that victims can get their files back by paying a ransom.

  • Instructions on how to pay this can be found on a Tor website; each "[HOW TO RECOVER FILES].txt" text file contains a link to the corresponding page.

  • This Tor page includes a Bitcoin wallet address for sending money to ProLock's developers. The cost of decryption was 60 BTCs at the time of investigation; however, each victim may be required to pay a different amount of Bitcoins. In any event, it is made plain that decryption is impossible without payment.

  • Victims are advised not to attempt to change or decrypt files using third-party software since this may result in permanent data loss. The developers of ProLock advise consumers to pay the ransom right away because the decryption keys are only kept on a remote server for one month.

  • They claim to have obtained important material and threaten to release it unless the ransom is paid. The necessary decryption tools are only available to the cybercriminals who created the ransomware. Even if they are compensated, most criminals do not send these tools.

Victims lose their data and money if they pay the ransom. As a result, you should never pay any cyber thieves. Unfortunately, without tools owned solely by ProLock's makers, there is no method to decrypt the files for free. In such circumstances, the only way to retrieve files is to restore them from a backup. Files can be retrieved from a backup, which should be kept on a remote server or an unplugged storage device to avoid data loss caused by ransomware.

Note that while removing the ransomware prevents additional data loss (encryption), it does not restore access to the files that have been encrypted (they remain encrypted).

In general, malware like ProLock encrypt files and make them unavailable until victims pay for particular tools from the creators to decode them. The quantity of the ransom and the cryptographic algorithm (symmetric or asymmetric) used by the ransomware to encrypt data are the two most important variables.

Gate, LX, and Tongda2000 are instances of other ransomware-like programs. Unfortunately, unless a ransomware has problems or isn't fully developed, decrypting the files without paying the ransom for tools/keys is impossible (not recommended).

How Did My PC Become Infected with Ransomware?

Trojans, spam campaigns (emails), fraudulent software updaters, software 'cracking' tools, and dubious file and/or program distribution channels are all used by cybercriminals to distribute malware. Trojans are programs that can start a chain infection by installing further malicious applications once they've been installed.

Spam campaigns are used by cyber thieves to propagate malware by sending emails with malicious attachments. When recipients open a malicious attachment/file, malicious malware is installed (or a file downloaded through a link).

Emails containing a malicious Microsoft Office document, archive file (ZIP, RAR), executable file (.exe), PDF document, or JavaScript file are regularly sent by cybercriminals.

Fake software updating tools harm computers by exploiting faults or holes in obsolete operating system software or by distributing malware instead of updates and fixes.

Unofficial activation tools infect devices in a similar fashion, installing malicious software instead of activating licensed software for free.

Malicious files are hosted on unofficial websites, free file hosting sites, freeware download sites, third-party downloaders, peer-to-peer networks (e.g., torrent clients), and other similar download channels; downloading and opening them results in malware installation.

How to Avoid Being Infected with Ransomware?

Installed apps must be updated and activated using the built-in functionalities and/or tools provided by the creators. Unofficial, third-party tools can be used to spread harmful malware. Furthermore, using unauthorized activation ('cracking') methods to activate licensed programs is unlawful.

Because they contain attachments and web links, irrelevant emails received from dubious, unknown addresses should not be opened. They are very likely to have been sent by cybercriminals. As a result, you should only open email attachments if you are positive they will not harm you. All materials should be downloaded via direct links from official and trustworthy websites.

Scanning the operating system for risks with reliable antivirus or anti-spyware software on a regular basis is recommended, and any dangers found should be removed immediately.

Set up device restrictions that allow you to restrict the apps loaded on the device to a centrally managed whitelist. To prevent people from visiting harmful websites, increase browser security settings, disable Adobe Flash and other susceptible browser plugins, and employ web filtering. Word processing and other vulnerable apps should have macros disabled.

To prevent ransomware from connecting with Command & Control centers, use a firewall or web application firewall (WAF), Intrusion Prevention / Intrusion Detection Systems (IPS/IDS), and other restrictions.

Updated on 29-Aug-2022 12:20:35