New ransomware uses a banking trojan to attack governments and companies

In recent months a new type of ransomware attack has emerged, which has raised alarm bells among the cyber security community and authorities such as the FBI in the United States. The cyber security company, Group-IB, has warned that it comes in the form of a Trojan horse, according to a report released on May 17.

According to the Group-IB study, the ransomware is known as ProLock and relies on the Qakbot banking Trojan to launch the attack and asks the targets for a six-figure dollar ransom paid at BTC to decrypt the files.

The list of victims includes local governments, financial, health and retail organizations. Among them, the attack that the IIB Group considers the most notable was against ATM provider Diebold Nixdorf.

Ransomware group demands $42 million or it will leak Donald Trump’s „dirty laundry

35 BTC as full payment in a ProLock attack
The FBI detailed that the ProLock attack initially gains access to victims‘ networks through phishing emails that often deliver Microsoft Word documents. Qakbot then interferes with the , , , , n of a remote desktop protocol and steals access credentials to systems with single-factor authentication.

According to the IB Group, the ransomware attacks call for a total payment of 35 BTCs, worth $337,750 at the time of publication. However, a study by Bleeping Computer shows that ProLock requires an average of $175,000 to $660,000 per attack, depending on the size of the target network.

Speaking with Cointelegraph, Brett Callow, a threat analyst at the malware lab, Emsisoft, explained some details about this new cyber-threat:

„ProLock is unusual in that it’s written in assembly and deployed using Powershell and shellcode. The malicious code is stored in XML, video or image files. In particular, the ProLock decryptor supplied by the criminals does not work properly and corrupts the data during the decryption process“.

Interpol joins Kaspersky in declaring ‚Anti-Ransomware Day

Callow added that although Emsisoft developed a decryptor to recover data from victims affected by ProLock without loss, that software does not eliminate the need to pay ransom, as it depends on the key provided by the offenders.

ProLock does not filter stolen data
Although the techniques used by the ProLock operators are similar to those of the known ransomware groups that filter stolen data such as Sodinokibi and Maze, Group-IB clarified the following:

„Unlike their peers, however, the ProLock operators do not yet have a website where they can post data extracted from companies that refuse to pay the ransom.“

Latest ransomware attacks

Cointelegraph has reported several ransomware attacks in recent weeks.

The ransomware group Maze claimed on May 19 to have hacked the egg producer, Sparboe, in the United States, by leaking preliminary information on a website to prove that they committed the attack.

A ransomware band called REvil recently threatened to release nearly 1TB of private legal secrets of the world’s biggest music and movie stars, including Lady Gaga, Elton John, Robert DeNiro, Madonna, and others.