A new ransomware named ProLock is affecting various
industries in the United States, and the FBI is warning companies and other
interested parties that the decryptor doesn’t work, and causes data loss.
The FBI’s policy has always been to resist the demands of
hackers, and it’s the same advice offered by cybersecurity experts. There are a
couple of good reasons for not paying the ransom. First of all, the money is
likely to land in the hands of criminal organizations, which could include
terrorists. Secondly, it encourages continuation of this crime.
There’s a third reason, although it might not seem as
important as the other two. There’s always a chance that the hackers will take
the money and never send the decryptor back. Or, just as bad, the decryptor is
poorly made and corrupts the encrypted data.
The FBI issued a new alert regarding a newly surfaced
ransomware named ProLock, which started out as PwndLocker. One of its last known
targets is Diebold Nixdorf, a technology company in the financial sector.
“ProLock actors gain initial access to victim networks
through phishing emails, Qakbot, improperly configured remote desktop protocol
(RDP), and stolen login credentials for networks with single-factor
Authentication,” says the FBI advisory. “After ProLock
actors gain access to a victim’s network, they map the network and identify
backups, to include Volume Shadow Copies, for deletion and/or encryption.”
The FBI also explains that the decryption key or
“decryptor” provided by the attackers upon paying the ransom has not routinely
executed correctly. The decryptor could corrupt files larger than 64MB and may
result in file integrity loss of approximately 1 byte per 1KB over 100MB.
Like Sodinokibi (REvil) and Maze operators, Prolock
actors will also look to copy information in the network and exfiltrate data
before encryption. Stolen data could be used to blackmail the companies into
paying the ransom, sold on the dark web, or both.