Operators Behind ProLocker Ransomware Seek 'Big Game'Group-IB: Attackers Now Using Qbot Trojan and Demand Huge Ransoms
Since March, the operators behind ProLocker ransomware have focused on targeting large enterprise networks with ransomware demands sometimes exceeding $1 million, the security firm Group-IB reports.
See Also: Threat Briefing: Ransomware
The gang behind ProLocker has recently started to use the Qbot - or Qakbot - banking Trojan as a way to gain a foothold in a network and deliver crypto-locking ransomware to compromised devices, Group-IB says.
ProLocker started in late 2019 as another ransomware variant called PwndLocker. After anti-virus firm Emsisoft released a free decryptor tool in March, the operators revamped their malware within a few weeks and started targeting a new group of potential victims, according to Group-IB (see: PwndLocker: Free Decryptor Frees Crypto-Locked Data).
With the revamped ransomware, the ProLocker operators are now reportedly seeking ransoms of between 35 and 255 bitcoins, or $400,000 to $2.5 million, Group-IB says.
Average ransom payments are rising as groups such as ProLocker and Maze raise their demands, according to an analysis by security firm Coveware (see: Ransomware Payday: Average Payments Jump to $178,000).
"The emergence of ProLocker is a clear sign that the threat of ‘big game hunting’ continues to loom large," Oleg Skulkin and Semyon Rogachev, analysts with Group-IB, write in a report published Thursday. "The group’s use of Qakbot may be straight out of the enterprise ransomware playbook, but the approach remains effective."
Group-IB and others report that the gang behind ProLocker targeted Diebold Nixdorf, one of the largest makers of ATMs, in April (see: ATM Manufacturer Diebold Nixdorf Hit With Ransomware).
ProLocker and Qbot
Since it revitalized its ransomware, the ProLocker gang has mainly focused on targeting enterprise networks in North America and Europe, according to the Group-IB analysis.
The ransomware group is now deploying the Qbot Trojan as a way to gain initial access to a targeted victim's network and persist as they map the infrastructure, according to the report.
The Qbot Trojan, which has been used in numerous campaigns this year, has been paired with the Emotet botnet (see: Update: Emotet Botnet Delivering Qbot Banking Trojan).
The ProLocker gang delivers Qbot to targeted victims through phishing emails that contain either an attached malicious document or a link that uses zip archives with heavily obfuscated VBScripts to help hide the Trojan from security tools, according to the Group-IB report.
The researchers determined that the hackers can also hijack an email thread, which hides the phishing email within a group of messages that appear to come from a trusted source, making it more likely a user will click a link or open a file.
Once the malicious VBScript starts, the Qbot Trojan is downloaded to the compromised device. The malware collects information about the host device, including the IP address, hostname, domain and list of installed programs.
"Thanks to this information, the threat actor acquires a basic understanding of the network and can plan post-exploitation activities," the Group-IB analysts note.
The ProLocker gang uses other malicious tools, such as Bloodhound, which can collect additional data about a device or the network. The hackers also use Rclone, a legitimate command-line tool for managing files on cloud storage platforms, as a way to exfiltrate some data before the ransomware attack begins, the report notes.
Mapping a Network
ProLocker attackers spend about a month mapping a network before deploying the final ransomware payload and encrypting the files, researchers say.
Once the files are selected, the ransomware encrypts them with RC6 and RSA-1024 encryption algorithms. At that point, a ransom note is sent to the victim with instructions on how to pay, according to the report.
There have been reports that the decryptor key provided by the gang does not always work properly, but Group-IB notes that it could "neither confirm nor refute this" because none of its customers have had to pay the ransom.