S0654 ProLock
ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with QakBot. ProLock is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.1
| Item | Value |
|---|---|
| ID | S0654 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 30 September 2021 |
| Last Modified | 15 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1197 | BITS Jobs | ProLock can use BITS jobs to download its malicious payload.1 |
| enterprise | T1486 | Data Encrypted for Impact | ProLock can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024.1 |
| enterprise | T1068 | Exploitation for Privilege Escalation | ProLock can use CVE-2019-0859 to escalate privileges on a compromised host.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | ProLock can remove files containing its payload after they are executed.1 |
| enterprise | T1490 | Inhibit System Recovery | ProLock can use vssadmin.exe to remove volume shadow copies.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.003 | Steganography | ProLock can use .jpg and .bmp files to store its payload.1 |
| enterprise | T1047 | Windows Management Instrumentation | ProLock can use WMIC to execute scripts on targeted hosts.1 |