The success of ransomware attacks on organizations around the world is prompting more and more new attackers to "enter the game." One of these new players is the ProLock ransomware group. It appeared in March 2020 as a successor to the PwndLocker program, which began operating in late 2019. ProLock ransomware attacks are primarily aimed at financial and medical organizations, government agencies and the retail sector. Recently, ProLock operators successfully attacked one of the largest ATM manufacturers, Diebold Nixdorf.In this post, Oleg Skulkin, Leading Specialist, Laboratory of Computer Forensics Group-IB, talks about the basic tactics, techniques, and procedures (TTPs) used by ProLock operators. At the end of the article is a comparison with the matrix MITER ATT & CK, a public database that contains tactics of targeted attacks used by various cybercriminal groups.Getting initial access
ProLock operators use two main vectors of primary compromise: the QakBot Trojan (Qbot) and unprotected RDP servers with weak passwords.Compromise through an externally accessible RDP server is extremely popular with ransomware operators. Typically, attackers buy access to a compromised server from third parties, but it can also be obtained by members of the group on their own.A more interesting primary compromise vector is QakBot malware. Previously, this trojan was associated with another family of encryptors - MegaCortex. However, it is now used by ProLock operators.Typically, QakBot is distributed through phishing campaigns. A phishing email may contain an attached Microsoft Office document or a link to such a file located in the cloud storage - for example, Microsoft OneDrive.There are also cases of loading QakBot with another trojan - Emotet, which is widely known for participating in campaigns that distributed the Ryuk ransomware.Performance
After downloading and opening the infected document, the user is prompted to allow the execution of macros. If successful, PowerShell is launched to load and run the QakBot payload from the command server.It is important to note that the same applies to ProLock: the payload is extracted from a BMP or JPG file and loaded into memory using PowerShell. In some cases, a scheduled task is used to start PowerShell.Batch script that launches ProLock through the task scheduler:
schtasks.exe /CREATE /XML C:\Programdata\WinMgr.xml /tn WinMgr
schtasks.exe /RUN /tn WinMgr
del C:\Programdata\WinMgr.xml
del C:\Programdata\run.bat
System pin
If it was possible to compromise the RDP server and gain access, then existing accounts are used to secure the network. QakBot is characterized by a variety of pinning mechanisms. Most often, this trojan uses the Run registry key and creates tasks in the scheduler:Securing Qakbot to the system using the Run registry key
In some cases, startup folders are also used: a shortcut is placed there that points to the bootloader.Protection bypass
Through communication with the command server, QakBot periodically tries to update itself, therefore, to avoid detection, the malware can replace its current version with a new one. Executable files are signed with a compromised or fake signature. The initial payload loaded by PowerShell is stored on a command server with the PNG extension . In addition, after execution, it is replaced by the legitimate calc.exe file .Also, to hide malicious activity, QakBot uses the technique of embedding code in processes using explorer.exe for this .As already mentioned, the ProLock payload is hidden inside a BMP or JPG file. It can also be considered as a method of circumvention of protection.Retrieve Credentials
QakBot has the functionality of a keylogger. In addition, it can load and run additional scripts, for example, Invoke-Mimikatz - PowerShell-version of the famous utility Mimikatz. Such scripts can be used by cybercriminals to dump credentials.Network intelligence
After gaining access to privileged accounts, ProLock operators conduct network intelligence, which in particular may include port scanning and analysis of the Active Directory environment. In addition to various scripts, attackers use AdFind, another tool popular among groups that use ransomware, to collect information about Active Directory.Web promotion
Traditionally, one of the most popular ways to surf the net is the Remote Desktop Protocol. ProLock was no exception. Attackers even have scripts in their arsenal to gain remote access via RDP to target hosts.BAT-script for access via RDP:
For remote script execution, ProLock operators use another popular tool - the PsExec utility from the Sysinternals Suite package. ProLock on hosts is launched using WMIC, which is a command-line interface for working with the Windows Management Instrumentation subsystem. This tool is also gaining popularity among ransomware operators.reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /fData collection
Like many other ransomware operators, a group using ProLock collects data from a compromised network to increase their chances of a ransom. Before exfiltration, the collected data is archived using the 7Zip utility.Exfiltration
To upload data, ProLock operators use Rclone, a command-line tool designed to synchronize files with various cloud storage services, such as OneDrive, Google Drive, Mega, etc. Attackers always rename the executable file to look like legitimate system files.Unlike their “colleagues”, ProLock operators still do not have their own website for publishing stolen data owned by companies that refused to pay the ransom.Achieving the ultimate goal
After exfiltrating the data, the team deploys ProLock throughout the enterprise network. The binary file is extracted from a file with the PNG or JPG extension using PowerShell and embedded into memory:
First of all, ProLock terminates the processes indicated in the built-in list (it is interesting that it uses only six letters from the process name, for example, “winwor”), and terminates services, including those related to security, such as CSFalconService (CrowdStrike Falcon), using the net stop command .Then, as in the case of many other ransomware families, attackers use vssadmin to remove shadow copies of Windows and limit their size, so new copies will not be created:vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
ProLock adds the extension .proLock , .pr0Lock, or .proL0ck to each encrypted file and places the [HOW TO RECOVER FILES] .TXT file in each folder. This file contains instructions on how to decrypt the files, including a link to the site where the victim must enter a unique identifier and receive payment information:Each instance of ProLock contains information about the amount of the buyback - in this case, it’s 35 bitcoins, which is about 312,000 dollars.Conclusion
Many ransomware operators use similar methods to achieve their goals. At the same time, some techniques are unique to each group. There is an increasing number of cybercriminal groups using encryptors in their campaigns. In some cases, the same operators can participate in attacks using different families of ransomware, so we will increasingly observe intersections in the tactics, techniques and procedures used.Mapping with MITER ATT & CK Mapping