ProLock

ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with QakBot. ProLock is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.^[1]

ID: S0654

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 30 September 2021

Last Modified: 15 October 2021

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1197		BITS Jobs	ProLock can use BITS jobs to download its malicious payload.^[1]
Enterprise	T1486		Data Encrypted for Impact	ProLock can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024.^[1]
Enterprise	T1068		Exploitation for Privilege Escalation	ProLock can use CVE-2019-0859 to escalate privileges on a compromised host.^[1]
Enterprise	T1070	.004	Indicator Removal: File Deletion	ProLock can remove files containing its payload after they are executed.^[1]
Enterprise	T1490		Inhibit System Recovery	ProLock can use vssadmin.exe to remove volume shadow copies.^[1]
Enterprise	T1027	.003	Obfuscated Files or Information: Steganography	ProLock can use .jpg and .bmp files to store its payload.^[1]
Enterprise	T1047		Windows Management Instrumentation	ProLock can use WMIC to execute scripts on targeted hosts.^[1]

References

Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.

ProLock

Enterprise Layer

Techniques Used

References