Skip to content

New ransomware uses a banking Trojan to attack governments and businesses

May 20, 2020

In the past few months, a new type of ransomware attack has occurred that has given red flags to the cybersecurity community and agencies like the FBI in the United States. The cyber security company Group-IB has warned, according to a report published on May 17, that it is a Trojan.

According to the Group IIB study, the ransomware is known as ProLock and relies on the banking trojan Qakbot to launch the attack and requests the targets for a six-figure ransom in BTC to decrypt the files.

The victim list includes local government, financial, health and retail organizations. Among them was the attack that Group IIB considers most remarkable against ATM provider Diebold Nixdorf.

35 BTC as a full payment in a ProLock attack

New ransomware uses a banking Trojan to attack governments and businesses
New ransomware uses a banking Trojan to attack governments and businesses

The FBI announced that the ProLock attack would initially gain access to victims’ networks through phishing emails, which often contain Microsoft Word documents. Qakbot then disrupts the configuration of a remote desktop protocol and steals the access data of the systems with single factor authentication.

According to Group IB, ransomware attacks require a total payment of 35 BTC worth $ 337,750 at the time of release. However, a study by Bleeping Computer shows that ProLock charges an average of $ 175,000 to $ 660,000 per attack, depending on the size of the target network.

Brett Callow, threat analyst at Emsisoft’s malware lab, told Cointelegraph some details about this new cyber threat:

“ProLock is unusual in that it is written in assembly and provided with powershell and shell code. Malicious code is stored in XML, video or image files. In particular, the ProLock decryptor provided by criminals does not work properly and damages the data during the decryption process . “

Callow added that while Emsisoft has developed a decryptor to restore the data of ProLock victims without loss, this software does not eliminate the ransom payment as it depends on the key provided by the criminals.

ProLock does not filter stolen data

Although the techniques used by ProLock operators are similar to those of well-known ransomware groups that filter stolen data such as Sodinokibi and Maze, Group-IB has made the following clear:

“However, unlike their peers, ProLock operators don’t yet have a website where they can publish the data extracted from companies that refuse to pay the ransom.”

Latest ransomware attacks

Cointelegraph has reported several ransomware attacks in the past few weeks.

Maze, a ransomware group, claimed on May 19 that it hacked US egg producer Sparboe and posted preliminary information on a website to prove that they committed the attack.

A ransomware gang called REvil recently threatened to release almost 1 TB of private legal secrets from the world’s greatest music and film stars such as Lady Gaga, Elton John, Robert DeNiro and Madonna.