FBI Warns that ProLock Ransomware Decryptor Corrupts Encrypted Files

A new ransomware named ProLock is affecting various industries in the United States, and the FBI is warning companies and other interested parties that the decryptor doesn”t work, and causes data loss.

The FBI”s policy has always been to resist the demands of hackers, and it”s the same advice offered by cybersecurity experts. There are a couple of good reasons for not paying the ransom. First of all, the money is likely to land in the hands of criminal organizations, which could include terrorists. Secondly, it encourages continuation of this crime.

There”s a third reason, although it might not seem as important as the other two. There”s always a chance that the hackers will take the money and never send the decryptor back. Or, just as bad, the decryptor is poorly made and corrupts the encrypted data.

The FBI issued a new alert regarding a newly surfaced ransomware named ProLock, which started out as PwndLocker. One of its last known targets is Diebold Nixdorf, a technology company in the financial sector.

“ProLock actors gain initial access to victim networks through phishing emails, Qakbot, improperly configured remote desktop protocol (RDP), and stolen login credentials for networks with single-factor

Authentication,” says the FBI advisory. “After ProLock actors gain access to a victim”s network, they map the network and identify backups, to include Volume Shadow Copies, for deletion and/or encryption.”

The FBI also explains that the decryption key or “decryptor” provided by the attackers upon paying the ransom has not routinely executed correctly. The decryptor could corrupt files larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB.

Like Sodinokibi (REvil) and Maze operators, Prolock actors will also look to copy information in the network and exfiltrate data before encryption. Stolen data could be used to blackmail the companies into paying the ransom, sold on the dark web, or both.