New Ransomware Uses a Banking Trojan To Attack Governments and Companies

Published at: May 19, 2020

A new type of ransomware attack emerged in recent months, raising red flags among the cybersecurity community and authorities such as the FBI in the United States. Cybersecurity firm Group-IB has warned that it comes in the form of a Trojan, according to a report published on May 17.

According to Group-IB’s study, the ransomware is known as ProLock and relies on the Qakbot banking trojan to launch the attack and asks the targets for six-figure USD ransoms paid out in BTC to decrypt the files.

The roster of victims includes local governments, financial, healthcare and retail organizations. Among them, the attack that Group-IB considers the most notable  was against ATM provider Diebold Nixdorf.

35 BTC as the total payment in a ProLock attack

The FBI detailed that the ProLock attack initially gains access to victim networks through phishing emails that often deliver Microsoft Word documents. Qakbot then interferes with configuring a remote desktop protocol and steals login credentials for systems with single-factor authentication.

According to Group-IB, the ransomware attacks ask for a total payment of 35 BTC — worth $337,750 as of press time. However, a Bleeping Computer study shows that ProLock demands an average of $175,000 to $ 660,000 per attack, depending on the size of the targeted network.

Speaking with Cointelegraph, Brett Callow, threat analyst at malware lab Emsisoft, explained some details about this new cyber threat:

“ProLock is unusual in that it is written in assembly and deployed using Powershell and shellcode. The malicious code is stored in either XML, video, or image files. Notably, the ProLock decryptor supplied by the criminals does not work correctly and corrupted data during the decryption process.”

Callow added that although Emsisoft developed a decryptor to recover victims’ data affected by ProLock without loss, such software does not remove the need for the ransom to be paid as it relies on the key supplied by the criminals.

ProLock doesn’t leak the stolen data

Although the techniques used by ProLock operators are similar to those of known ransomware groups that filter stolen data like Sodinokibi and Maze, Group-IB clarified the following:

“Unlike their peers, though, ProLock operators still don’t have a website where they publish exfiltrated data from companies that refuse to pay the ransom.”

Latest ransomware attacks

Cointelegraph has reported several ransomware attacks in recent weeks.

Ransomware group Maze claimed on May 19 to have hacked United States egg producer Sparboe, leaking preliminary information on a website to prove that they committed the attack.

A ransomware gang called REvil recently threatened to release almost 1TB of private legal secrets from the world’s biggest music and movie stars, such as Lady Gaga, Elton John, Robert DeNiro, Madonna, among others.

Tags
Bitcoin
Cryptocurrencies
Crimes
Ransomware
Malware
Related Posts
Ransomware Gang Auctions Off US Healthcare Data for Bitcoin
Crozer-Keystone Health System recently suffered a ransomware attack by the NetWalker ransomware gang. The gang is now auctioning the system’s stolen data through its darknet website. If it is not purchased at auction within six days, the gang has vowed to leak the data. On June 19, Cointelegraph was able to access the alleged publication. There appeared to be dozens of folders with an undisclosed amount of data, mostly concerning finances, but nothing related to medical records of patients. The gang claims that Crozer-Keystone Health System failed to pay for the ransom they demanded in Bitcoin (BTC). Crozer-Keystone is a …
Bitcoin / June 19, 2020
New Ransomware Employs Never-Before-Seen Attack Method
A new study warns of a new ransomware attack method that runs a virtual machine on target computers in order to infect them with the ransomware. This may play the attack beyond the reach of the computer’s local antivirus software. According to the UK-based cybersecurity firm Sophos, the Ragnar Locker attack is quite selective when choosing its victims. Ragnar’s targets tend to be companies rather than individual users. Almost 1,850 BTC in ransom demanded in a single attack Ragnar Locker asks victims for large amounts of money to decrypt their files. It also threatens to release sensitive data if users …
Technology / May 22, 2020
Maze Hacker Group Claims Infecting Insurance Giant Chubb with Ransomware
Black hat hacker group, Maze, claims to have used ransomware to compromise the systems of insurance giant, Chubb. They also claim to have stolen the firm’s data. Brett Callow, threat analyst at cybersecurity firm, Emsisoft, told Cointelegraph on March 27 that Maze published the claim on its website. While the website does not provide any direct proof of the hack so far, Callow pointed out facts that give the claim an air of credibility: “Maze’s past victims include governments, law firms, healthcare providers, manufacturers, medical research companies, healthcare providers and more.” Maze’s modus operandi Callow explained that the group usually …
Bitcoin / March 29, 2020
Ransomware Gang Strikes Again With More Auctions Listing Stolen Data
Ransomware group REvil has started another auction on the dark web listing sensitive data stolen from two US-based law firms. The listing appeared June 6 through REvil’s official blog on the darknet, where bidders look to acquire 50GB of data from Fraser Wheeler & Courtney LLP and 1.2TB of data from the database of Vierra Magen Marcus LLP. Information auctioned includes client information, internal documentation of the company, electronic correspondence, patent agreements, business plans and projects, as well as new technologies that have yet to be patented. IP-related law firm among the victims The law firm Vierra Magen Marcus LLP …
Technology / June 8, 2020
Expert Warns: Don’t Trust Ransomware Groups Amid Pandemic
A cybersecurity expert explained why he is convinced that the promises made by ransomware groups amid the pandemic are irrelevant. Brett Callow — threat analyst at cybersecurity firm Emsisoft — told Cointelegraph that multiple ransomware groups recently made promises to halt their activity against medical organizations amid the coronavirus pandemic. Still, he believes that those promises are irrelevant: “The claims of a ceasefire made by ransomware groups are irrelevant [and] should be completely disregarded. Would you leave your front door unlocked simply because the local burglars had pinky-promised not to rob you? Probably not. The story of the frog and …
Blockchain / April 16, 2020