ProLock is a Windows ransomware family, previously known as PwndLocker/PwndLcker, that was rebranded as ProLock in 2019. It has been described as a relatively uncommon ransomware strain that went through multiple names and iterations. ProLock encrypts files on compromised hosts using RC6 and encrypts the key with RSA-1024. It can remove Volume Shadow Copies using vssadmin.exe and can use WMIC to execute scripts on targeted hosts. Reported privilege-escalation activity includes exploitation of CVE-2019-0859. The malware can use JPG and BMP files to store its payload. ProLock has been associated with QakBot/Qbot infections as an initial access vector or delivery mechanism, and reporting states that QakBot infections have led to deployment of ProLock. France’s CERT reported that the Lockean ransomware affiliate operation used ProLock alongside Maze, Egregor, and REvil, and that TA551 collaborated with Lockean by helping affiliates drop ProLock payloads on devices infected with Qbot/QakBot. The content also notes ties or reported links involving Sekhmet, LockBit, and Maze affiliates. A notable incident cited involved Diebold Nixdorf, where investigators determined intruders installed ProLock ransomware on the company’s corporate network. At the time described in the reporting, ProLock operators had not yet launched their own public leak blog, though reporting indicated movement toward data-theft extortion. Typical ransom demands cited in the content ranged from about $175,000 to more than $660,000 depending on victim size.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
ProLock can use CVE-2019-0859 to escalate privileges on a compromised host.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
7 distinct techniques documented for this family, organized by ATT&CK tactic.
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges. ... APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host. ... multiple groups/tools exploit various CVEs to escalate privileges.
Over the past year and a half, the threat actor has compromised the networks of at least eight French companies, stealing data and deploying malware from multiple ransomware-as-a-service (RaaS) operations.
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware payload dropped by Lockean affiliates on systems infected via Qbot/QakBot with TA551 collaboration.
Ransomware that removes volume shadow copies using vssadmin.
Ransomware strain referenced as leveraging Qakbot as a loader in ransomware attacks.
Referenced as a ransomware family reportedly tied to Egregor/Maze relationships.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.