PwndLocker operators rebrand it as ProLock after the flaw detection
PwndLocker ransomware was spotted at the beginning of this month. It was targeting the enterprise networks and demands a ransom ranging between $175,000 and $660,000 that depends on what the networks’ size.
Soon after the detection, Michael Gillespie of ID Ransomware and Fabrian Wosar of Emsisoft discovered bugs in the malware that allowed them to create decryption tool for it. Thus, the victims then could access back the files without paying the ransom.
Due to this failure, the developers rebrand the ransomware as the name ProLock Ransomware. PeterM, a researcher from Sophos said, this new ransomware is distributed via using a BMP image file being stored on C:\ProgrmData under the name WinMgr.bmp. In this image, the ransomware executable is embedded.
The BMP file has a few dots on the upper right corner, viewing through hex editor, these include binary data embedded. A PowerShell Script resembles the binary data and injects it into the memory.
It is not clear from where the malware got access to device. However, it is suspecting that it could gain the access through exposed Remote Desktop Services. “They targeted a handful of servers. Not sure how they got in (yet) but I can see quite a few keygens and cracking tools on the network, probably just end up being an exposed RDP though :-), said Peter, in a Tweet.
There seem no change in the method of the encryption is done. The ProLock uses the same method as that used by PwndLocker. When launched, it clears the Shadow Copies on the device in order to harden the files recovery.
vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=unbounded
Then, it encrypts the files on the device. It targets the files with the extensions include .exe, .dll, .lnk, .ico, .ini, .msi, .chm, .sys, .hlf, .lng, .inf, .ttf, .cmd, .bat, .vhd, .bac, .bak, .wbc, .bkf, .set, .win, .dsk. After getting encrypted, these files receive a new extension. The ProLock uses .ProLock extension to an encrypted file’s name. For example, a file 1.doc becomes 1.doc.ProLock.
After finishing the encryption process, the ransomware creates a ransom note in a file named [HOW TO RECOVER FILES].TXT that contains instruction how to connect to a Tor for the payment information. Here is the full text provided on this note:
Your files have been encrypted by ProLock Ransomware using RSA-2048 algorithm.
[.:Nothing personal just business:.]
No one can help you to restore files without our special decryption tool.
To get your files back you have to pay the decryption fee in BTC.
The final price depends on how fast you write to us.
- Download TOR browser: https://www.torproject.org/
- Install the TOR Browser.
- Open the TOR Browser.
- Open our website in the TOR browser: msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion
- Login using your ID xxx
***If you have any problems connecting or using TOR network:
contact our support by email [email protected].
[You’ll receive instructions and price inside]
The decryption keys will be stored for 1 month.
We also have gathered your sensitive data.
We would share it in case you refuse to pay.
Decryption using third party software is impossible.
Attempts to self-decrypting files will result in the loss of your data.
Unfortunately, the ransomware developers successfully fix their flaw that made the decryption possible for free. Victims will not need to recover the files using backups instead or rebuilt their files.