Skip to content

S0654 ProLock

ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with QakBot. ProLock is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.1

Item Value
ID S0654
Associated Names
Version 1.0
Created 30 September 2021
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1197 BITS Jobs ProLock can use BITS jobs to download its malicious payload.1
enterprise T1486 Data Encrypted for Impact ProLock can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024.1
enterprise T1068 Exploitation for Privilege Escalation ProLock can use CVE-2019-0859 to escalate privileges on a compromised host.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion ProLock can remove files containing its payload after they are executed.1
enterprise T1490 Inhibit System Recovery ProLock can use vssadmin.exe to remove volume shadow copies.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.003 Steganography ProLock can use .jpg and .bmp files to store its payload.1
enterprise T1047 Windows Management Instrumentation ProLock can use WMIC to execute scripts on targeted hosts.1