Beware Of ProLock Ransomware And Its Faulty Decryptor


A quirky destructive ransomware with troubling aftershocks that has an unusual file encryption has been exposed by SophosLabs.

Dubbed ProLock, the ransomware skips files smaller than 8,192 bytes and starts encrypting larger files after the first 8,192 bytes.

“Even under the best of circumstances, it is hard to recover from a ransomware attack. But, ProLock’s unusual encryption scheme, coupled with a faulty decryptor provided by the attackers to victims who are willing to cooperate and pay the ransom, make recovery that much more difficult,” said Sean Gallagher, senior threat research, Sophos.

An in-depth study at this ransomware and its unusual file encryption reports the result as being files that are partially readable, and partially encrypted.

This could contribute to the reason why the decryptor key, the code victims receive after they’ve paid a ransom to get their encrypted data back, actually corrupts the files that were encrypted to begin with – meaning, even if victims pay, there’s a chance their data will be lost or made more expensive to recover.

“ProLock can cause a fair amount of economic damage to victims, since it is likely only the final leg of a breach of a targeted network but Up-to-date endpoint protection tools (such as Intercept X with EDR; see story for defenders) can be effective in blunting and stopping the attack,” he added.

Organizations can take steps to prevent these types of attacks,like protecting remote network access by putting RDP access behind a virtual private network and using multi-factor authentication for remote access. As with all ransomware threats, maintaining offline backups, and malware protection for both desktops and servers hardens defenses against attacks like ProLock.

ProLock uses achingly familiarransomware tactics like leveraging the RDP, phishing or third-party malware to gain remote access, and using native Windows tools to spread their malware.

The use of weak steganography to conceal a code and of obfuscated PowerShell scripts to launch it makes detecting these kinds of attacks without strong malware protection difficult at best, and especially so in the midst of a pandemic.

“Companies have to take a hard look at how they deploy RDP and remote access. Simply adopting two-factor authentication for remote access and putting RDP sessions behind a virtual private network would significantly reduce the potential for attacks like these,” Gallagher said in conclusion.


Do you have a story that you think would interest our readers?
Write to us


Please enter your comment!
Please enter your name here
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.