ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with QakBot. ProLock is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.[1]

ID: S0654
Platforms: Windows
Version: 1.0
Created: 30 September 2021
Last Modified: 15 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS Jobs

ProLock can use BITS jobs to download its malicious payload.[1]

Enterprise T1486 Data Encrypted for Impact

ProLock can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024.[1]

Enterprise T1068 Exploitation for Privilege Escalation

ProLock can use CVE-2019-0859 to escalate privileges on a compromised host.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

ProLock can remove files containing its payload after they are executed.[1]

Enterprise T1490 Inhibit System Recovery

ProLock can use vssadmin.exe to remove volume shadow copies.[1]

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

ProLock can use .jpg and .bmp files to store its payload.[1]

Enterprise T1047 Windows Management Instrumentation

ProLock can use WMIC to execute scripts on targeted hosts.[1]