Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
ProLock
ProLock is a Windows ransomware family, previously known as PwndLocker/PwndLcker, that was rebranded as ProLock in 2019.
Profile source: Mallory opens in a new tabProLock
Family profile
ProLock is a Windows ransomware family, previously known as PwndLocker/PwndLcker, that was rebranded as ProLock in 2019. It has been described as a relatively uncommon ransomware strain that went through multiple names and iterations. ProLock encrypts files on compromised hosts using RC6 and encrypts the key with RSA-1024. It can remove Volume Shadow Copies using vssadmin.exe and can use WMIC to execute scripts on targeted hosts. Reported privilege-escalation activity includes exploitation of CVE-2019-0859. The malware can use JPG and BMP files to store its payload. ProLock has been associated with QakBot/Qbot infections as an initial access vector or delivery mechanism, and reporting states that QakBot infections have led to deployment of ProLock. France’s CERT reported that the Lockean ransomware affiliate operation used ProLock alongside Maze, Egregor, and REvil, and that TA551 collaborated with Lockean by helping affiliates drop ProLock payloads on devices infected with Qbot/QakBot. The content also notes ties or reported links involving Sekhmet, LockBit, and Maze affiliates. A notable incident cited involved Diebold Nixdorf, where investigators determined intruders installed ProLock ransomware on the company’s corporate network. At the time described in the reporting, ProLock operators had not yet launched their own public leak blog, though reporting indicated movement toward data-theft extortion. Typical ransom demands cited in the content ranged from about $175,000 to more than $660,000 depending on victim size.
Ransomware.live
Operational record
Reported operators
Threat actors
1 named in public reportingExploited software
Vulnerabilities linked to ProLock
1 CVEsMITRE ATT&CK
ProLock in ATT&CK
7 distinct techniquesReporting
Research mentioning ProLock
Manager of botnet used in ransomware attacks gets 2 years in prison
France's Computer Emergency Response Team (CERT) also flagged TA551 as a collaborator in the Lockean ransomware operation, helping its affiliates drop ProLock, Egregor, and DoppelPaymer ransomware payloads on devices infected with the Qbot/QakBot banking trojan.
Inhibit System Recovery, Technique T1490 - Enterprise | MITRE ATT&CK®
ProLock can use vssadmin.exe to remove volume shadow copies.
Examining the Impact of Ransomware Disruptions: Qakbot, LockBit, and ALPHV-BlackCat - Chainalysis
Ransomware strains like Conti, Prolock, Quantum, Sodinokibi/REvil, and Black Basta, leveraged the loader in successful ransomware attacks.
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone - SentinelLabs
There have been reports of ties to Sekhmet, ProLock, and LockBit as well (both of which have also been tied to Maze).
Windows Follina zero-day exploited to infect PCs with Qbot • The Register
...QBot had Egregor, ProLock, LockerGoga, Mount Locker...
Lockean multi-ransomware affiliates linked to attacks on French orgs
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
Updates - Updates - October 2021 | MITRE ATT&CK®
Enterprise New Software: ... ProLock
MITRE ATT&CK T1003 Credential Dumping
Cited: “ATT&CKing ProLock Ransomware.”