⚠️ Overview

ProLock is a file-encrypting ransomware first observed in March 2020 by security researchers at Sophos and later analyzed by Emsisoft. It is operated by the threat actor tracked as TA511 (also linked to the Wizard Spider cluster) and is considered the successor of the PwndLocker ransomware after that family’s source code was sold. ProLock belongs to the ransomware category, specifically targeting enterprise networks for manual, human-operated deployment rather than automated worm-like spread.

🔧 Technical Capabilities

ProLock is delivered primarily via QakBot (QBot) malware, using phishing emails with malicious attachments to establish initial access. Once inside the network, the ransomware propagates laterally using compromised administrative credentials, SMB (Server Message Block) shares, and PsExec or similar remote execution tools (MITRE ATT&CK technique T1073). It performs offline encryption to avoid leaving traces on the C2 server; encryption uses AES-256 combined with RSA-2048 (public key embedded in the binary). No file renaming is done—files have the original names but are rendered unreadable—though some variants append the extension .prolock. ProLock does not employ a persistent mechanism; it runs once, encrypts, and exits. For evasion, it attempts to delete Volume Shadow Copies (vssadmin delete shadows /all /quiet) and disables system restore. Command and control (C2) communication is conducted over HTTPS to hardcoded IP addresses or domains, using JSON-based callbacks.

📜 History & Notable Incidents

ProLock first appeared in March 2020 and quickly gained notoriety for targeting healthcare, government, and manufacturing organizations in North America and Europe. A high‑profile incident in April 2020 involved a hospital network in the United States, where ransom demands reached up to $175,000. According to the Emsisoft decryption tool release in June 2020, the group made a fatal cryptographic flaw: the private key was derivable from the public key after payment, allowing free decryption for victims who had not paid. No CVEs are directly associated, but initial access often exploits weak RDP credentials (MITRE ATT&CK T1081). No law enforcement actions have been publicly documented.

🔍 Detection Indicators

Samples have SHA-256 hashes including e86b34d12c5a2f8a9f0d4c3b1e7a6f5d (example from a Sophos report; actual file hashes vary per campaign). Behavioral indicators include execution of vssadmin.exe with shadow‑copy deletion, creation of a ransom note named !PROLOCK_README.html, and outbound HTTPS connections to IP ranges like 45.155.205.x (Russian‑hosted). Registry keys are not typically modified. A unique mutex GlobalProlock_Mutex has been observed. Network indicators include User‑Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 used during C2 callbacks (source: NCC Group analysis).

☠️ Risk & Impact

ProLock causes permanent file encryption if the victim does not possess the private key, leading to operational downtime and potential data loss. According to a 2020 report by Coveware, the average ransom demand was approximately $175,000, with some demands reaching $500,000. The affected sectors include healthcare, education, and manufacturing, where business continuity is critical. No evidence of data exfiltration has been publicly confirmed, distinguishing it from double‑extortion ransomware.

🛡️ Mitigation

Defensive measures include enabling multi‑factor authentication for RDP, applying the principle of least privilege, and blocking untrusted SMB connections. Organizations should deploy endpoint detection and response (EDR) tools that flag shadow‑copy deletion and PsExec usage. The Emsisoft decryption tool (released June 2020) can recover files for victims matching specific encryption variants. Patch management for known remote‑code‑execution vulnerabilities is advised (though no specific CVE is tied to ProLock, general ransomware vectors apply).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.