ProLock ransomware – new report reveals the evolution of a threat


Level 6
Thread author
Oct 1, 2019
Let’s start at the very top of the ransomware dilemma.

Should you ever pay blackmail money to ransomware crooks?

As you can imagine, law enforcement and government bodies around the world reguarly say, “No! Please don’t, because it’s the regular payments that make the whole ransomware ecosystem work in the first place.”

Sure, in the 1990s, before anyone figured out how to make any real money out of malware, there were plenty of deeply destructive computer viruses that circulated widely and did huge amounts of damage.

It was often hard to figure out why anyone would write and deliberately disseminate malware back then, because those who were caught very often ended up serving prison sentences.

There were lots of possible reasons, of course: because virus writers had some sort of axe to grind with the world; because they wanted to make some sort of social or political statement; or simply because they could, and wanted to show off to their buddies in the cyberunderground.

Money didn’t really come into it at all back then, not least because there wasn’t a reliable way to extort money online and remain anonymous.

But malware in general, and ransomware in particular, doesn’t much follow that “anger at the world” path any more.

All about money
It’s almost all about money now – and as you are no doubt aware in the case of ransomware, the money demanded can be several million dollars per network attack.

So, if no one ever paid up, contemporary theory says that crooks would be much less inclined to bother attacking networks with ransomware in the first place.

That’s because most attacks require quite a lot of time and effort on the part of the crooks – this isn’t an after-hours hobby where hackers compare notes with underground chums, but a competitive cybercrime arena.

Ransomware gangs may take days or weeks to get their attack ready, for example by:

  • Hacking, phishing or buying access to the network to get a beachhead for their attack.
  • Acquiring domain administrator privileges so they have the same power as your own IT team.
  • Mapping out the network in detail to figure out what and where to attack.
  • Finding and eliminating online backups that could help in recovery.
  • Testing and tweaking various ransomware samples to find one that is most likely to work.
  • Reconfiguring network-wide security tools and settings to open up more of the network to attack.
  • Identifying system services to shut down to maximise the number of files that can be overwritten.
  • Stealing confidential company data from the network to increase their blackmail leverage.
Our own threat response team has even dealt with a ransomware victim where the criminals appear to have dug around in the IT department’s own email to find out what cyberinsurance arrangements the company had in place, and to gauge how high to pitch their ransom demand.

These crooks also downloaded personal contact data for key members in the IT team, and then placed a voice call (using a voice changer) to the IT manager to threaten him directly, reading out some of his personally identifiable information (PII) as proof that they had already exfiltrated corporate data.

We’ve also seen ransomware attacks where the criminals have emailed staff across the company to warn them that their own PII would be exposed to the world if the company didn’t pay up, urging the staff to contact their IT team to demand that payment be made – basically, turning the organisation against itself.