Wednesday, July 29, 2020

The Evolution of ProLock Ransomware

The report published by SophosLabs regarding a strain of ransomware called ProLock is an interesting piece not because of its implementation but due to its evolution. Let’s take a look at the very top of this ransomware predicament.
Should you pay ransom for the data held hostage by cybercriminals?
Government bodies and law enforcement agencies in all parts of the world will say no because if you do, you’re contributing to the growth of the ransomware Fayetteville NC network.
Sure, back in the 1990s, when people didn’t know how to make any real money from malware, there were a lot of damaging computer viruses that spread widely and wreaked havoc.
It was difficult to determine why anyone would create and disseminate malware during that time, because people who were caught were sent to prison. There were several possible explanations; virus writers had something against the world; they wanted to make a political or social statement; or just because they wanted to show off.
Money didn’t matter during that time, not least since there wasn’t any dependable method to extort money through the web while remaining anonymous. But generally speaking, malware and ransomware no longer follow the path of “anger at the world” any longer.

Ransomware: It’s All About The Money



Nowadays, it’s almost always about the money and as you know about ransomware, the money that’s being demanded could be worth millions of dollars per network attack. So, if nobody ever paid up, modern theory says that cybercriminals would be less inclined to attack networks with ransomware.
That’s because this kind of attack needs a lot of time and effort on the part of the cybercriminals. This is not an after hours hobby wherein hackers will compare notes with some underground churns. It is a very competitive cybercrime world.
Ransomware gangs may take days and even weeks to prepare their attack by:
  • Buying access, phishing, or hacking the network so they could acquire a beachhead for their cyberattack.
  • Obtaining domain administrator privileges so that they have the some power as that of your IT team.
  • Mapping out your network in detail to determine what and where to attack.
  • Locating and getting rid of online backups that may assist in recovery.
  • Testing and changing various ransomware samples to determine the one that will most likely work.
  • Reconfiguring the security tools and settings of the network so it will be more open to attack.
  • Figuring out system services to close down in order to maximize the number of files that could be overwritten.
  • Taking confidential company information from the network to boost their blackmail leverage.

IT experts have dealt with a ransomware victim wherein criminals seem to have dug around the email of the IT department to determine the company’s cyberinsurance arrangements and to evaluate how high they can pitch for the ransom.
These cybercriminals have downloaded personal information for important members of the IT team and then added a voice call to the IT manager so they could threaten him directly by reading some of his personal data to prove that they now have access to the corporate data.
There are also ransomware attacks wherein the criminals have sent emails to the staff across the firm to warn them that their own personal identifiable information will be exposed to the rest of the world if the company doesn’t pay up, encouraging the staff to get in touch with their IT team and demand that they pay the ransom.
What if paying up doesn’t work?
What if paying up does not work? What if it has placed you under a worse position?
That’s an issue faced by the ProLock ransomware group earlier this year. These cybercriminals masterminded the ransomware called PwndLocker that sometimes could be decrypted without having to pay the ransom. These hackers made a cryptographic mistake that sometimes permitted victims to take the decryption key even after the completion of the encryption. Then the ProLock ransomware strain made it to the fore, which provoked an urgent warming from the FBI.
A Different Encryption
ProLock does not scramble each byte of each file it attacks. In the sample that was analysed by SophosLabs, the first 8KB of each file weren’t altered. So files below 8KB were left untouched while those bigger than 8192 bytes were encrypted while keeping the first 8KB unchanged.
ProLock is not the first ever ransomware to come up with this trick. There are three possible reasons why ransomware cybercriminals do it. To bypass the encryption detection tools that will only monitor the first part of the file, to fool certain common file-type identification tools, and to give you a false sense of security.

Call SpartanTec, Inc. now and let our team of IT experts protect your company against ransomware and other types of online threats.

SpartanTec, Inc.
Myrtle Beach, SC 29577
(843) 420-9760
https://www.spartantec.com/
SpartanTec, Inc.
Fayetteville, NC 28304
(910) 745-7776
http://manageditservicesfayetteville.com
Cities Served:
Fayetteville, Spring Lake, Hope Mills, Dunn, Aberdeen, Southern Pines, Pinehurst, Sanford, Clinto

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.