PwndLocker ransomware recently emerged as ransomware threatening businesses with huge ransom demands. However, soon after its emergence, the cybersecurity community devised a way to break its encryption owing to a bug. While that made things seemingly easy, PwndLocker has now transformed into ProLock as it fixes that bug.
PwndLocker Turns Prolock Ransomware
Earlier this month, we reported about new ransomware, dubbed PwndLocker. This ransomware aimed at businesses and organizations with uniquely high ransom demands. While it looked nothing different from most other strains, its variable demand for ransom based on the target’s potential to pay segregated it from others.
However, it had a vulnerability which researchers were quick to spot and develop a decryptor. Hence, it potentially saved the victims from paying the ransom to recover the data.
Nonetheless, the malware developers have now fixed the bug that made decryption possible. And so, we now have the ProLock ransomware in the wild.
According to BleepingComputer, ProLock largely works in the same way as PwndLocker. However, it encrypts the files while adding the extension .proLock to the file name. Whereas, the high demand for ransom remains the same.
ProLock ransom note (Source: Bleeping Computer)
ProLock Active In The Wild
According to Sophos’ PeterM, ProLock is active in the wild and is distributed via BMP image files. The image opens correctly with the file viewer. However, it only appears black with some white dots.
New ransomware #ProLock using PowerShell to reflectively inject into memory from a ".BMP" picture file. The file has a BMP header, followed by a load of nulls then the ransomware code. The BMP does open correctly but is just black with some white dots. ".ProLock" extension. pic.twitter.com/ydJXoVoaIE
— PeterM (@AltShiftPrtScn) March 17, 2020
Though, it is presently unclear how the attackers manage to place this file on the target device.
they targeted a handful of servers. Not sure how they got in (yet) but I can see quite a few keygens and cracking tools on the network, probably just end up being an exposed RDP though 🙂
— PeterM (@AltShiftPrtScn) March 17, 2020
So, the ransomware again becomes a real threat for the businesses, with presently no alternate option to escape ransom payments. The only measure to combat such situations is to ensure a robust backup of the data.
Let us know your thoughts in the comments.
