Skip to content
Ransomware group

ProLock

ProLock is a Windows ransomware family, previously known as PwndLocker/PwndLcker, that was rebranded as ProLock in 2019.

Profile source: Mallory opens in a new tab

ProLock

Family profile

ProLock is a Windows ransomware family, previously known as PwndLocker/PwndLcker, that was rebranded as ProLock in 2019. It has been described as a relatively uncommon ransomware strain that went through multiple names and iterations. ProLock encrypts files on compromised hosts using RC6 and encrypts the key with RSA-1024. It can remove Volume Shadow Copies using vssadmin.exe and can use WMIC to execute scripts on targeted hosts. Reported privilege-escalation activity includes exploitation of CVE-2019-0859. The malware can use JPG and BMP files to store its payload. ProLock has been associated with QakBot/Qbot infections as an initial access vector or delivery mechanism, and reporting states that QakBot infections have led to deployment of ProLock. France’s CERT reported that the Lockean ransomware affiliate operation used ProLock alongside Maze, Egregor, and REvil, and that TA551 collaborated with Lockean by helping affiliates drop ProLock payloads on devices infected with Qbot/QakBot. The content also notes ties or reported links involving Sekhmet, LockBit, and Maze affiliates. A notable incident cited involved Diebold Nixdorf, where investigators determined intruders installed ProLock ransomware on the company’s corporate network. At the time described in the reporting, ProLock operators had not yet launched their own public leak blog, though reporting indicated movement toward data-theft extortion. Typical ransom demands cited in the content ranged from about $175,000 to more than $660,000 depending on victim size.

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

1 named in public reporting
Lockean

Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.

Exploited software

Vulnerabilities linked to ProLock

1 CVEs

MITRE ATT&CK

ProLock in ATT&CK

7 distinct techniques

Reporting

Research mentioning ProLock

Mar 25
Bleeping Computer

Manager of botnet used in ransomware attacks gets 2 years in prison

France's Computer Emergency Response Team (CERT) also flagged TA551 as a collaborator in the Lockean ransomware operation, helping its affiliates drop ProLock, Egregor, and DoppelPaymer ransomware payloads on devices infected with the Qbot/QakBot banking trojan.

Oct 31
Mitre Attack Website

Inhibit System Recovery, Technique T1490 - Enterprise | MITRE ATT&CK®

ProLock can use vssadmin.exe to remove volume shadow copies.

May 6
Chainalysis

Examining the Impact of Ransomware Disruptions: Qakbot, LockBit, and ALPHV-BlackCat - Chainalysis

Ransomware strains like Conti, Prolock, Quantum, Sodinokibi/REvil, and Black Basta, leveraged the loader in successful ransomware attacks.

Mar 29
Sentinelone Labs

Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone - SentinelLabs

There have been reports of ties to Sekhmet, ProLock, and LockBit as well (both of which have also been tied to Maze).

Jun 9
Register Security

Windows Follina zero-day exploited to infect PCs with Qbot • The Register

...QBot had Egregor, ProLock, LockerGoga, Mount Locker...

Nov 4
Bleeping Computer

Lockean multi-ransomware affiliates linked to attacks on French orgs

Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.

Oct 21
Mitre Attack Website

Updates - Updates - October 2021 | MITRE ATT&CK®

Enterprise New Software: ... ProLock

Jun 30
Picus Security

MITRE ATT&CK T1003 Credential Dumping

Cited: “ATT&CKing ProLock Ransomware.”

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.