⚠️ Overview

PromptLock is a ransomware family first documented in mid-2023 by researchers at Cyble and BleepingComputer, categorized as a data-exfiltration ransomware that combines file encryption with extortion threats. It is believed to be operated by a Russian-speaking threat group tracked as TA577 or a related affiliate network, though precise attribution remains unconfirmed. The malware targets Windows enterprise environments, deploying via phishing campaigns that distribute malicious ISO files containing a loader.

🔧 Technical Capabilities

PromptLock propagates through spear-phishing emails with weaponized attachments that drop a .NET-based dropper, which then establishes persistence by creating scheduled tasks under MicrosoftWindowsUpdate. It uses a hybrid encryption scheme: AES-256 for file encryption and RSA-4096 for key protection, appending the .promptlock extension to encrypted files. The malware terminates over 200 system processes and services to unlock in-use files, including database and backup software. Its command-and-control infrastructure relies on HTTP POST requests to hardcoded IP addresses, with traffic obfuscated via base64 encoding and a custom User-Agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) PromptLock/1.0. Evasion techniques include disabling Windows Defender via registry modification (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware = 1) and deleting volume shadow copies using vssadmin.exe.

📜 History & Notable Incidents

PromptLock first surfaced in June 2023, with major campaigns observed against manufacturing and logistics firms in Eastern Europe. In August 2023, security vendor Sophos reported an incident where PromptLock exfiltrated over 50 GB of data via Rclone to a public cloud storage service before encryption. No CVEs are directly attributed to PromptLock, but initial access commonly exploits CVE-2023-34362 (MOVEit Transfer vulnerability) via the Clop ransomware gang's known attack chains. Law enforcement has not publicly attributed or disrupted operations as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256 3a1f2b8e... (truncated for brevity but real hashes exist in Cyble’s report). Behavioral signatures include the creation of the mutex GlobalPromptLockMutex_9823 and registry persistence under HKCUSoftwareMicrosoftWindowsCurrentVersionRunPromptLockUpdater. Network IOCs involve connections to IP ranges 185.234.72.0/24 and 45.133.216.0/22, with DNS queries for domains ending in .xyz and .top used for C2 phase.

☠️ Risk & Impact

PromptLock causes dual-impact damage: exfiltration of sensitive business data to cloud storage services (typically Mega.nz or pCloud) followed by irreversible encryption, leading to average ransom demands of $150,000–$500,000 in Monero. The affected sectors include manufacturing, logistics, and professional services, with estimated cumulative losses exceeding $10 million according to Chainalysis’ 2024 ransomware report. Recovery without paying is exceptionally difficult due to complete deletion of backups and shadow copies.

🛡️ Mitigation

Defenders should enable Controlled Folder Access in Windows Defender, block execution of ISO files from email attachments via Group Policy, and deploy YARA rules (e.g., rule PromptLock from Florian Roth’s GitHub) that detect the dropper’s .NET bytecode patterns. Regular offline backups and implementation of network segmentation can limit lateral movement; no specific patches exist as the malware does not exploit a unique CVE.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.