Sophos: Be wary of ProLock ransomware and its faulty decryptor
Sophos has warned business to be wary of ProLock, a quirky, destructive ransomware with troubling aftershocks.
SophosLabs has provided an in-depth look at this ransomware and its unusual file encryption: it skips files smaller than 8,192 bytes, and starts encrypting larger files after the first 8,192 bytes. The result is files that are partially readable, and partially encrypted.
This could contribute to the reason why the decryptor key, the code victims receive after they’ve paid a ransom to get their encrypted data back, actually corrupts the files that were encrypted to begin with – meaning, even if victims pay, there’s a chance their data will be lost or made more expensive to recover.
Even without the ransomware encryption, ProLock can cause a fair amount of economic damage to victims, since it is likely only the final leg of a breach of a targeted network.
Organizations can take steps to prevent these types of attacks, including protecting remote network access by putting RDP access behind a virtual private network and using multi-factor authentication for remote access. As with all ransomware threats, maintaining offline backups, and malware protection for both desktops and servers hardens defenses against attacks like ProLock. Up-to-date endpoint protection tools (such as Intercept X with EDR; see story for defenders) can be effective in blunting and stopping the attack.
“Even under the best of circumstances it is hard to recover from a ransomware attack. But, ProLock’s unusual encryption scheme, coupled with a faulty decryptor provided by the attackers to victims who are willing to cooperate and pay the ransom, make recovery that much more difficult,” said Sean Gallagher, senior threat research, Sophos.
“The tactics used by ProLock are achingly familiar in the ransomware space: using RDP, phishing or third-party malware to gain remote access, and using native Windows tools to spread their malware. The use of weak steganography to conceal their code and of obfuscated PowerShell scripts to launch it makes detecting these kinds of attacks without strong malware protection difficult at best, and especially so in the midst of a pandemic. Companies have to take a hard look at how they deploy RDP and remote access. Simply adopting two-factor authentication for remote access and putting RDP sessions behind a virtual private network would significantly reduce the potential for attacks like these.”
Follow us on Telegram, Twitter, Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates.