SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pwndlocker (Back to overview)

PwndLocker

aka: ProLock

PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.

References
2020-12-15HornetsecurityHornetsecurity Security Lab
@online{lab:20201215:qakbot:9397167, author = {Hornetsecurity Security Lab}, title = {{QakBot reducing its on disk artifacts}}, date = {2020-12-15}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/}, language = {English}, urldate = {2020-12-16} } QakBot reducing its on disk artifacts
Egregor PwndLocker QakBot
2020-11-27Fiducia & GAD IT AGFrank Boldewin
@techreport{boldewin:20201127:when:9697611, author = {Frank Boldewin}, title = {{When ransomware hits an ATM giant - The Diebold Nixdorf case dissected}}, date = {2020-11-27}, institution = {Fiducia & GAD IT AG}, url = {https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf}, language = {English}, urldate = {2020-12-01} } When ransomware hits an ATM giant - The Diebold Nixdorf case dissected
PwndLocker QakBot
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-12IntrinsecJean Bichet
@online{bichet:20201112:egregor:1ac0eb1, author = {Jean Bichet}, title = {{Egregor – Prolock: Fraternal Twins ?}}, date = {2020-11-12}, organization = {Intrinsec}, url = {https://www.intrinsec.com/egregor-prolock/}, language = {English}, urldate = {2020-11-23} } Egregor – Prolock: Fraternal Twins ?
Egregor PwndLocker QakBot
2020-11-02One Night in NorfolkKevin Perlow
@online{perlow:20201102:tinypos:876ddb3, author = {Kevin Perlow}, title = {{TinyPOS and ProLocker: An Odd Relationship}}, date = {2020-11-02}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/}, language = {English}, urldate = {2020-11-09} } TinyPOS and ProLocker: An Odd Relationship
AbaddonPOS PwndLocker
2020-09-10Group-IBOleg Skulkin, Semyon Rogachev
@online{skulkin:20200910:lock:a6f630a, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting}}, date = {2020-09-10}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/prolock_evolution}, language = {English}, urldate = {2020-09-15} } Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting
PwndLocker QakBot
2020-07-27Sophos LabsSean Gallagher
@online{gallagher:20200727:prolock:4992cfc, author = {Sean Gallagher}, title = {{ProLock ransomware gives you the first 8 kilobytes of decryption for free}}, date = {2020-07-27}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/}, language = {English}, urldate = {2020-07-30} } ProLock ransomware gives you the first 8 kilobytes of decryption for free
PwndLocker
2020-06-16HornetsecuritySecurity Lab
@online{lab:20200616:qakbot:0353100, author = {Security Lab}, title = {{QakBot malspam leading to ProLock: Nothing personal just business}}, date = {2020-06-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/}, language = {English}, urldate = {2020-07-01} } QakBot malspam leading to ProLock: Nothing personal just business
PwndLocker QakBot
2020-05-18ZDNetCatalin Cimpanu
@online{cimpanu:20200518:fbi:54e14c9, author = {Catalin Cimpanu}, title = {{FBI: ProLock ransomware gains access to victim networks via Qakbot infections}}, date = {2020-05-18}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/}, language = {English}, urldate = {2020-05-18} } FBI: ProLock ransomware gains access to victim networks via Qakbot infections
PwndLocker
2020-05-14Group-IBOleg Skulkin
@online{skulkin:20200514:attcking:6b770ce, author = {Oleg Skulkin}, title = {{ATT&CKing ProLock Ransomware}}, date = {2020-05-14}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/prolock}, language = {English}, urldate = {2020-05-18} } ATT&CKing ProLock Ransomware
PwndLocker
2020-05-11soolidsnake
@online{soolidsnake:20200511:prolock:18caa16, author = {soolidsnake}, title = {{ProLock malware analysis}}, date = {2020-05-11}, url = {https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html}, language = {English}, urldate = {2020-05-26} } ProLock malware analysis
PwndLocker
2020-03-23Cert-PaCert-PA
@online{certpa:20200323:pwndlocker:3607042, author = {Cert-PA}, title = {{PwndLocker si rinnova in ProLock Ransomware}}, date = {2020-03-23}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/}, language = {Italian}, urldate = {2020-03-25} } PwndLocker si rinnova in ProLock Ransomware
PwndLocker
2020-03-05Bleeping ComputerLawrence Abrams
@online{abrams:20200305:pwndlocker:d9b200a, author = {Lawrence Abrams}, title = {{PwndLocker Ransomware Gets Pwned: Decryption Now Available}}, date = {2020-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/}, language = {English}, urldate = {2020-03-05} } PwndLocker Ransomware Gets Pwned: Decryption Now Available
PwndLocker
2020-03-02IT Klinikaunknown
@online{unknown:20200302:panja:709f641, author = {unknown}, title = {{Pažnja: Novi opasni ransomware pwndLocker i u Srbiji!}}, date = {2020-03-02}, organization = {IT Klinika}, url = {https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji}, language = {Serbo-Croatian}, urldate = {2020-03-03} } Pažnja: Novi opasni ransomware pwndLocker i u Srbiji!
PwndLocker
2020-03-02Bleeping ComputerLawrence Abrams
@online{abrams:20200302:new:e4cb07c, author = {Lawrence Abrams}, title = {{New PwndLocker Ransomware Targeting U.S. Cities, Enterprises}}, date = {2020-03-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/}, language = {English}, urldate = {2020-03-02} } New PwndLocker Ransomware Targeting U.S. Cities, Enterprises
PwndLocker
2019-10-23ID RansomwareAndrew Ivanov
@online{ivanov:20191023:pwndlocker:d776ac5, author = {Andrew Ivanov}, title = {{PwndLocker Ransomware}}, date = {2019-10-23}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html}, language = {Russian}, urldate = {2020-03-03} } PwndLocker Ransomware
PwndLocker
Yara Rules
[TLP:WHITE] win_pwndlocker_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_pwndlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e334 49 8d348a 8b36 01de }
            // n = 5, score = 300
            //   e334                 | jecxz               0x36
            //   49                   | dec                 ecx
            //   8d348a               | lea                 esi, [edx + ecx*4]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   01de                 | add                 esi, ebx

        $sequence_1 = { 8b7224 01de 31c0 668b044e 8b721c 01de }
            // n = 6, score = 300
            //   8b7224               | mov                 esi, dword ptr [edx + 0x24]
            //   01de                 | add                 esi, ebx
            //   31c0                 | xor                 eax, eax
            //   668b044e             | mov                 ax, word ptr [esi + ecx*2]
            //   8b721c               | mov                 esi, dword ptr [edx + 0x1c]
            //   01de                 | add                 esi, ebx

        $sequence_2 = { 668b044e 8b721c 01de 8b0486 }
            // n = 4, score = 300
            //   668b044e             | mov                 ax, word ptr [esi + ecx*2]
            //   8b721c               | mov                 esi, dword ptr [edx + 0x1c]
            //   01de                 | add                 esi, ebx
            //   8b0486               | mov                 eax, dword ptr [esi + eax*4]

        $sequence_3 = { c1cf0d 01c7 ebf4 3b7df0 75e0 5a }
            // n = 6, score = 300
            //   c1cf0d               | ror                 edi, 0xd
            //   01c7                 | add                 edi, eax
            //   ebf4                 | jmp                 0xfffffff6
            //   3b7df0               | cmp                 edi, dword ptr [ebp - 0x10]
            //   75e0                 | jne                 0xffffffe2
            //   5a                   | pop                 edx

        $sequence_4 = { 31c0 fc ac 84c0 7407 }
            // n = 5, score = 300
            //   31c0                 | xor                 eax, eax
            //   fc                   | cld                 
            //   ac                   | lodsb               al, byte ptr [esi]
            //   84c0                 | test                al, al
            //   7407                 | je                  9

        $sequence_5 = { 31c0 668b044e 8b721c 01de 8b0486 }
            // n = 5, score = 300
            //   31c0                 | xor                 eax, eax
            //   668b044e             | mov                 ax, word ptr [esi + ecx*2]
            //   8b721c               | mov                 esi, dword ptr [edx + 0x1c]
            //   01de                 | add                 esi, ebx
            //   8b0486               | mov                 eax, dword ptr [esi + eax*4]

        $sequence_6 = { 31ff 31c0 fc ac 84c0 7407 }
            // n = 6, score = 300
            //   31ff                 | xor                 edi, edi
            //   31c0                 | xor                 eax, eax
            //   fc                   | cld                 
            //   ac                   | lodsb               al, byte ptr [esi]
            //   84c0                 | test                al, al
            //   7407                 | je                  9

        $sequence_7 = { c1cf0d 01c7 ebf4 3b7df0 }
            // n = 4, score = 300
            //   c1cf0d               | ror                 edi, 0xd
            //   01c7                 | add                 edi, eax
            //   ebf4                 | jmp                 0xfffffff6
            //   3b7df0               | cmp                 edi, dword ptr [ebp - 0x10]

        $sequence_8 = { fc ac 84c0 7407 c1cf0d 01c7 ebf4 }
            // n = 7, score = 300
            //   fc                   | cld                 
            //   ac                   | lodsb               al, byte ptr [esi]
            //   84c0                 | test                al, al
            //   7407                 | je                  9
            //   c1cf0d               | ror                 edi, 0xd
            //   01c7                 | add                 edi, eax
            //   ebf4                 | jmp                 0xfffffff6

        $sequence_9 = { 31c0 fc ac 84c0 7407 c1cf0d 01c7 }
            // n = 7, score = 300
            //   31c0                 | xor                 eax, eax
            //   fc                   | cld                 
            //   ac                   | lodsb               al, byte ptr [esi]
            //   84c0                 | test                al, al
            //   7407                 | je                  9
            //   c1cf0d               | ror                 edi, 0xd
            //   01c7                 | add                 edi, eax

    condition:
        7 of them and filesize < 65536
}
[TLP:WHITE] win_pwndlocker_w0   (20200518 | Detects Prolock malware in encrypted and decrypted mode)
rule win_pwndlocker_w0 {
	meta:
		author = "Frank Boldewin (@r3c0nst)"
		description = "Detects Prolock malware in encrypted and decrypted mode"
		reference = "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Prolock.Malware.yar"
		date = "2020-05-17"
		hash = "a6ded68af5a6e5cc8c1adee029347ec72da3b10a439d98f79f4b15801abd7af0"
		hash = "dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker"
        malpedia_version = "20200518"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		
	strings:
		$DecryptionRoutine = {01 C2 31 DB B8 ?? ?? ?? ?? 31 04 1A 81 3C 1A}
		$DecryptedString1 = "support981723721@protonmail.com" nocase ascii
		$DecryptedString2 = "Your files have been encrypted by ProLock Ransomware" nocase ascii
		$DecryptedString3 = "msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion" nocase ascii
		$CryptoCode = {B8 63 51 E1 B7 31 D2 8D BE ?? ?? ?? ?? B9 63 51 E1 B7 81 C1 B9 79 37 9E}
		
	condition:
		((uint16(0) == 0x5A4D) or (uint16(0) == 0x4D42)) and filesize < 100KB and (($DecryptionRoutine) or (1 of ($DecryptedString*) and $CryptoCode))
}
Download all Yara Rules