Security News > 2020 > July > ProLock ransomware – new report reveals the evolution of a threat
SophosLabs has just published a new report on a ransomware strain known as ProLock, which is interesting not so much for its implementation as for its evolution.
Most ransomware scrambles the whole file, so monitoring access to the start of each file is an efficient way of spotting some, but not all, unauthorised changes.
At first glance, you might think you've got away with the ransomware attack, given that some files are intact and some part of every file can be recovered.
Only in the case of our Naked Security article archive would we have been "Lucky" enough to retain just over half of our files, for the simple reason that we save the originals as plain text files, half of which are just under 8KB. ProLock also has some other interesting tricks to learn about, including obscuring the ransomware executable itself by hiding it inside a BMP file that displays as an almost-uniform and apparently uninteresting black rectangle if you open it for inspection.
In a real-life ProLock attack a PowerShell script that does not itself contain any ransomware code is used to unravel the EXE from the innocent-looking BMP file in order to launch it.