FBI warns US organizations of ProLock ransomware decryptor not working

Pierluigi Paganini May 18, 2020

The FBI‌ issued a flash alert to warn organizations in the United States that the ProLock ransomware decryptor doesn’t work properly.

Early this month, the FBI‌ issued a flash alert to warn organizations of the new threat actor targeting healthcare, government, financial, and retail industries in the US.

“The decryption key or ‘decryptor’ provided by the attackers upon paying the ransom has not routinely executed correctly,” states the alert.

“The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB.”

Threat actors are attempting to take advantage of the ongoing Coronavirus pandemic and are using COVID-19 lures in their attacks.

Experts reported several ransomware attacks against businesses and organizations, the ProLock ransomware is just is yet another threat to the list.

The FBI is recommending victims of ransomware attacks to avoid paying the ransom to decrypt their files. Feds warned that the decryptor for the ProLock is not correctly working and using it could definitively destroy the data. The descriptor could corrupt files larger than 64MB during the decryption process.

The PwndLocker ransomware first appeared in the threat landscape by security researchers in late 2019, operators’ demands have ranged from $175,000 to more than $660,000 worth of Bitcoin.

According to the FBI, operators behind the threat gain access to hacked networks via the Qakbot (Qbot) trojan, but experts from Group-IB added that they also target unprotected Remote Desktop Protocol (RDP)-servers with weak credentials. It is still unclear if the ProLock ransomware was managed by the Qakbot gang, or if the ProLock operators pay to gain access to hosts infected with Qakbot to deliver their malware.

“ProLock operators used two main vectors of initial access: QakBot (Qbot) and unprotected Remote Desktop Protocol (RDP)-servers with weak credentials.” reads the report published by Group-IB.

“The latter is a fairly common technique among ransomware operators. This kind of access is usually bought from a third party but may be obtained by group members as well.”

In March, threat actors behind PwndLocker changed the name of their malware to ProLock, immediately after security firm Emsisoft released a free decryptor tool.

According to the popular investigator Brian Krebs, the systems at Diebold Nixdorf were recently infected by the ProLock ransomware (aka PwndLocker), the same piece of ransomware involved in the attack against Lasalle County, Ill. in March.

“Fabian Wosar, Emsisoft’s chief technology officer, said if Diebold’s claims about not paying their assailants are true, it’s probably for the best: That’s because current versions of ProLock’s decryptor tool will corrupt larger files such as database files.” reads the analysis published by Krebs.

“As luck would have it, Emsisoft does offer a tool that fixes the decryptor so that it properly recovers files held hostage by ProLock, but it only works for victims who have already paid a ransom to the crooks behind ProLock.

“We do have a tool that fixes a bug in the decryptor, but it doesn’t work unless you have the decryption keys from the ransomware authors,” Wosar said.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ProLock, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment