This is reportedly the second alert issued by the Bureau addressing threats posed by ProLock ransomware.
The Federal Bureau of Investigation (FBI) issues a second alert asking private and government entities to vary of ProLock ransomware. The conniving operators are not only encrypting files for extortion but also stealing sensitive and critical data.
ProLock is a recently discovered strain of ransomware that ensues a series of destructive enhancement than its successor, PwndLocker. The latter basically compromised systems by encrypting files and asking for ransom. However, a bug was later found that allowed free decoding of encrypted files. The operators later rebranded the ransomware to ProLocker.
Reportedly [PDF], the rebranded and enhanced ransomware targets private businesses, government and financial institutions, healthcare systems, and various other entities based on their organizational size and structure. The ransomware infiltrates the victim’s system then locates files and encrypts them. In order to retrieve the data, the victim has to pay a ransom in cryptocurrency.
The data encrypting malware earned its name ProLock after the extension of infected files changed to ‘.ProLock.” Once this is in pursuits, the hackers place a ransom note in the infected folders to extort money in the form of Bitcoins.
The note also contains instructions leading them to a Tor Website that has information about the bitcoin wallet. Once the victim transfers the cryptocurrency, a decryption key is given. Without the key encrypting the files is literally impossible.
However, the FBI has warned private industries to be very of the ransomware and also that the decryptor is not working properly subsequently, leading to data loss. Also, the likelihood of files larger than 64 MB being corrupted during the decryption process is extremely high as reported by Bleeping Computer.
It is noteworthy that the ProLock’s operators have been extorting and compromising victims since the outbreak of the global pandemic (March 2020). The stolen data from government and private entities are held until they pay up ransoms that could go up till $660,000.
ProLock has successfully encrypted multiple industries and corporate entities including government agencies as well.
The conniving malware with superior enhancements as per researchers is distributed either via Remote Desktop Protocol servers with weak credentials or the infamous email phishing campaigns. The latter ensues QakBot malicious attachments that deploy stolen credentials and manipulates system flaws vicariously.
Researchers also uncovered that the operators would archive stolen data and then upload it on cloud storage with the help of a command-line tool called Rclone.
Nonetheless, the FBI has requested victims not to pay the ransom and immediately report the instance as soon as possible. Paying the ransom is like funding their illicit extortion. Thus, the recommendation is to report to the local FBI office and provide as much information and details about the activity.
Moreover, periodic or preferably regular backup of data is crucial also, enable two-factor authentication wherever possible. If interested, some details of the first alert issued by the FBI is available here.