We reveal ProLock: analysis of the actions of the new ransomware operators using the MITER ATT & CK matrix
The success of ransomware attacks on organizations around the world is prompting more and more new attackers to "enter the game." One of these new players is the ProLock ransomware group. It appeared in March 2020 as a successor to the PwndLocker program, which began operating in late 2019. The ProLock ransomware attacks primarily target financial and medical organizations, government agencies, and the retail sector. Recently, ProLock operators successfully attacked one of the largest ATM manufacturers, Diebold Nixdorf.
In this post, Oleg Skulkin, a leading specialist at the Group-IB Computer Forensics Laboratory , talks about the main tactics, techniques, and procedures (TTPs) used by ProLock operators. At the end of the article - a comparison with the matrix MITER ATT & amp; CK, a public database that contains tactics of targeted attacks used by various cybercriminal groups.
Getting Initial Access
ProLock operators use two main vectors of primary compromise: the QakBot Trojan (Qbot) and unprotected RDP servers with weak passwords.
Compromise through an externally accessible RDP server is extremely popular with ransomware operators. Typically, attackers buy access to a compromised server from third parties, but it can also be obtained by members of the group on their own.
A more interesting primary compromise vector is QakBot malware. Previously, this trojan was associated with another family of encryptors - MegaCortex. However, it is now used by ProLock operators.
As a rule, QakBot is distributed through phishing campaigns. A phishing email may contain an attached Microsoft Office document or a link to such a file located in the cloud - for example, Microsoft OneDrive.
There are also cases of loading QakBot with another trojan - Emotet, which is widely known for participating in campaigns that distributed the Ryuk ransomware.
After downloading and opening the infected document, the user is prompted to allow the execution of macros. If successful, PowerShell is launched to load and run the QakBot payload from the command server.
It’s important to note that the same thing applies to ProLock: the payload is extracted from the BMP or JPG file and loaded into memory using PowerShell. In some cases, a scheduled task is used to start PowerShell.
Batch script that launches ProLock through the task scheduler:
schtasks.exe/CREATE/XML C:\Programdata\WinMgr.xml/tn WinMgr schtasks.exe/RUN/tn WinMgr del C:\Programdata\WinMgr.xml del C:\Programdata\run.bat
Pin to system
If it was possible to compromise the RDP server and gain access, then existing accounts are used to secure the network. QakBot is characterized by a variety of pinning mechanisms. Most often, this trojan uses the Run registry key and creates tasks in the scheduler:
Securing Qakbot on a system using the Run registry key
In some cases, startup folders are also used: a shortcut is placed there that points to the bootloader.
Through communication with the command server, QakBot periodically tries to update itself, therefore, to avoid detection, the malware can replace its current version with a new one. Executable files are signed with a compromised or fake signature. The initial payload loaded by PowerShell is stored on a command server with the extension PNG . In addition, after execution, it is replaced with the legitimate file calc.exe .
Also, to hide malicious activity, QakBot uses the technique of injecting code into processes using explorer.exe for this.
As already mentioned, the ProLock payload is hidden inside the BMP or JPG file. It can also be seen as a workaround for protection.
QakBot has the functionality of a keylogger.In addition, it can load and run additional scripts, for example, Invoke-Mimikatz - PowerShell-version of the famous utility Mimikatz. Such scripts can be used by cybercriminals to dump credentials.
After gaining access to privileged accounts, ProLock operators conduct network intelligence, which in particular may include port scanning and analysis of the Active Directory environment. In addition to various scripts, cybercriminals use AdFind to gather information about Active Directory, another tool that is popular among groups that use ransomware.
Traditionally, one of the most popular ways to surf the net is the Remote Desktop Protocol. ProLock was no exception. Attackers even have scripts in their arsenal to gain remote access via RDP to target hosts.
BAT-script for access via RDP:
For remote script execution, ProLock operators use another popular tool - the PsExec utility from the Sysinternals Suite.
ProLock on hosts is launched using WMIC, which is a command-line interface for working with the Windows Management Instrumentation subsystem. This tool is also gaining popularity among ransomware operators.
Like many other ransomware operators, a group using ProLock collects data from a compromised network to increase their chances of a ransom. Before exfiltration, the collected data is archived using the 7Zip utility.
To upload data, ProLock operators use Rclone, a command-line tool designed to synchronize files with various cloud storage services, such as OneDrive, Google Drive, Mega, etc. Attackers always rename an executable file to look like legitimate system files.
Unlike their “shop floor colleagues,” ProLock operators still do not have their own website for publishing stolen data belonging to companies that refused to pay the ransom.
Achieving the ultimate goal
After exfiltrating the data, the team deploys ProLock throughout the enterprise network. The binary file is extracted from a file with the extension PNG or JPG using PowerShell and embedded into memory:
First of all, ProLock terminates the processes indicated in the built-in list (it is interesting that it uses only six letters from the process name, for example, “winwor”), and terminates the services, including those related to security, for example, CSFalconService (CrowdStrike Falcon), using the net stop command.
Then, as with many other ransomware families, attackers use vssadmin to delete shadow copies of Windows and limit their size, so new copies will not be created:
vssadmin.exe delete shadows/all/quiet vssadmin.exe resize shadowstorage/for=C:/on=C:/maxsize=401MB vssadmin.exe resize shadowstorage/for=C:/on=C:/maxsize=unbounded
ProLock adds the extension .proLock , .pr0Lock or .proL0ck to each encrypted file and places the [HOW TO RECOVER FILES].TXT file to each folder. This file contains instructions on how to decrypt the files, including a link to the site where the victim must enter a unique identifier and receive payment information:
Each instance of ProLock contains information about the amount of the buyback - in this case, it’s 35 bitcoins, which is approximately $ 312,000.
Many ransomware operators use similar methods to achieve their goals. At the same time, some techniques are unique to each group. There is an increasing number of cybercriminal groups using encryptors in their campaigns. In some cases, the same operators can participate in attacks using different families of ransomware, so we will increasingly observe intersections in the tactics, techniques, and procedures used.
Сопоставление с MITRE ATT&CK Mapping.
|Initial Access (TA0001)||External Remote Services (T1133), Spearphishing Attachment (T1193), Spearphishing Link (T1192)|
|Execution (TA0002)||Powershell (T1086), Scripting (T1064), User Execution (T1204), Windows Management Instrumentation (T1047)|
|Persistence (TA0003)||Registry Run Keys/Startup Folder (T1060), Scheduled Task (T1053), Valid Accounts (T1078)|
|Defense Evasion (TA0005)||Code Signing (T1116), Deobfuscate/Decode Files or Information (T1140), Disabling Security Tools (T1089), File Deletion (T1107), Masquerading (T1036), Process Injection (T1055)|
|Credential Access (TA0006)||Credential Dumping (T1003), Brute Force (T1110), Input Capture (T1056)|
|Discovery (TA0007)||Account Discovery (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Service Scanning (T1046), Network Share Discovery (T1135), Remote System Discovery (T1018)|
|Lateral Movement (TA0008)||Remote Desktop Protocol (T1076), Remote File Copy (T1105), Windows Admin Shares (T1077)|
|Collection (TA0009)||Data from Local System (T1005), Data from Network Shared Drive (T1039), Data Staged (T1074)
|Command and Control (TA0011)||Commonly Used Port (T1043), Web Service (T1102)
|Exfiltration (TA0010)||Data Compressed (T1002), Transfer Data to Cloud Account (T1537)
|Impact (TA0040)||Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490)