computer security info  Blog's Page

Back To Blog

ProLock Ransomware: Complete Analysis, Indicators Of Compromise (IOCs), MITRE ATT&CK Mappin


  Category:  RANSOMWARE | 7th July 2026 | Author:  CSI'S TEAM

computer security info

Introduction

ProLock Ransomware Is A Sophisticated Ransomware Family That Emerged In 2020 And Quickly Became A Significant Threat To Organizations Worldwide. Security Researchers Believe ProLock Evolved From The Earlier PwndLocker Ransomware Family After Operational And Technical Changes Were Introduced By Its Operators. ProLock Is Known For Targeting Enterprise Environments, Encrypting Critical Business Data, And Demanding Substantial Ransom Payments In Exchange For Decryption Tools.

Unlike Commodity Ransomware That Primarily Targets Individual Users, ProLock Was Designed To Compromise Corporate Networks, Municipal Organizations, Healthcare Institutions, Financial Entities, And Other High-value Targets. The Ransomware Operators Often Gained Access Through Phishing Campaigns, Vulnerable Remote Desktop Protocol (RDP) Services, Virtual Private Network (VPN) Vulnerabilities, And Malware Loaders Such As QakBot (Qbot).

One Of The Defining Characteristics Of ProLock Was Its Use Of Double-extortion Tactics. Before Encrypting Files, Attackers Frequently Exfiltrated Sensitive Data And Threatened To Publish Stolen Information If Victims Refused To Pay The Ransom. This Strategy Increased Pressure On Organizations And Amplified The Impact Of Attacks.

This Article Provides A Comprehensive Overview Of ProLock Ransomware, Including Affected Operating Systems, Targeted Files, Infection Statistics, Impacted Countries, Indicators Of Compromise (IOCs), MITRE ATT&CK Techniques, Detection Rules, And Frequently Asked Questions.

Overview Of ProLock Ransomware

Attribute Details
Malware Name ProLock Ransomware
Malware Type Ransomware
First Observed 2020
Origin Successor To PwndLocker
Primary Goal Data Encryption And Extortion
Distribution QakBot, Phishing, RDP Abuse
Target Victims Enterprises And Organizations
Extortion Method Encryption And Data Theft
Ransom Payment Cryptocurrency

ProLock Became Particularly Dangerous Because It Combined Enterprise Intrusion Techniques With Robust Encryption Capabilities And Data Exfiltration Operations.

How ProLock Infects Systems?

A Typical ProLock Attack Follows A Multi-stage Intrusion Process.

Stage 1: Initial Access

Attackers Gain Access Through:

  • Phishing Emails

  • Malicious Attachments

  • Compromised VPN Services

  • Weak RDP Credentials

  • QakBot Malware Infections

  • Exploited Vulnerabilities

Stage 2: Internal Reconnaissance

After Gaining Access, Attackers:

  • Enumerate Systems

  • Identify Valuable Assets

  • Discover Domain Controllers

  • Locate Backup Infrastructure

Stage 3: Credential Theft

Attackers Harvest:

  • Domain Credentials

  • Administrator Passwords

  • Service Accounts

  • VPN Credentials

Stage 4: Lateral Movement

The Attackers Move Across The Network Using:

  • SMB

  • RDP

  • PowerShell

  • Administrative Tools

Stage 5: Data Exfiltration

Sensitive Information Is Collected And Transmitted To Attacker-controlled Servers.

Stage 6: Encryption

ProLock Encrypts Targeted Files And Leaves Ransom Notes Throughout The Environment.

Operating Systems Affected

ProLock Primarily Targets Microsoft Windows Environments.

Known Affected Windows Versions

  • Windows 7

  • Windows 8

  • Windows 8.1

  • Windows 10

  • Windows 11

  • Windows Server 2008

  • Windows Server 2012

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022

Linux Systems

No Widespread Linux-specific ProLock Encryptor Has Been Publicly Documented.

macOS

No Significant MacOS-targeting ProLock Variant Has Been Identified.

Browsers Affected By ProLock Operations

Although ProLock Itself Focuses On Encryption, Associated Intrusion Activities Often Target Browser-stored Credentials.

Browsers Commonly Exposed

  • Google Chrome

  • Mozilla Firefox

  • Microsoft Edge

  • Internet Explorer

  • Opera

  • Brave

Browser Data Potentially Accessed

  • Saved Passwords

  • Session Cookies

  • Authentication Tokens

  • Browser History

  • Autofill Information

Compromised Browser Credentials May Facilitate Privilege Escalation And Lateral Movement Within Enterprise Environments.

Browser Extensions At Risk

ProLock Operators And Associated Malware Loaders May Access Information Stored Within Browser Extensions.

Commonly Exposed Extension Categories

  • Password Managers

  • Cryptocurrency Wallet Extensions

  • Cloud Storage Plugins

  • Corporate Authentication Extensions

  • VPN Browser Extensions

Potentially Compromised Data

  • Login Credentials

  • Session Tokens

  • API Keys

  • Wallet Metadata

  • Authentication Secrets

Files Targeted By ProLock Ransomware

ProLock Focuses On Encrypting Valuable Organizational Data While Avoiding Files That Could Destabilize The Operating System.

Document Files

.doc
.docx
.xls
.xlsx
.ppt
.pptx
.pdf
.txt
.rtf

Database Files

.sql
.db
.sqlite
.mdb
.accdb

Archive Files

.zip
.rar
.7z
.tar
.gz

Image Files

.jpg
.jpeg
.png
.bmp
.gif
.tiff

Multimedia Files

.mp3
.wav
.mp4
.mov
.avi
.mkv

Source Code Files

.java
.py
.php
.js
.cpp
.cs
.html

Business-Critical Data

  • Financial Records

  • Customer Databases

  • HR Documents

  • Legal Documents

  • Intellectual Property

  • Backup Repositories

Encrypted Files Typically Receive Ransomware-specific Extensions Depending On The Campaign.

Encryption Capabilities

ProLock Employs Strong Encryption Algorithms To Render Files Inaccessible.

Characteristics

  • Fast Encryption Process

  • Enterprise-scale Deployment

  • Network Share Encryption

  • File Extension Modification

  • Ransom Note Creation

The Malware Is Capable Of Encrypting Thousands Of Files Across Multiple Systems In A Short Period.

How Many Systems Were Affected?

Exact Infection Numbers Remain Unknown Because Ransomware Operators Do Not Disclose Victim Counts And Many Incidents Remain Private.

However, Public Investigations And Incident Response Reports Indicate:

  • Hundreds Of Organizations Were Targeted.

  • Numerous Enterprise Networks Were Compromised.

  • Victims Included Healthcare, Government, Education, Finance, And Manufacturing Sectors.

  • Attacks Occurred Across Multiple Continents.

Security Researchers Generally Consider ProLock A Significant Enterprise Ransomware Operation Rather Than A Mass-infection Malware Campaign.

Estimated Affected Systems Likely Ranged From Thousands To Tens Of Thousands Of Endpoints Across Compromised Organizations.

Countries Impacted

ProLock Campaigns Affected Organizations Globally.

Frequently Reported Countries

  • United States

  • Canada

  • United Kingdom

  • Germany

  • France

  • Spain

  • Italy

  • Netherlands

  • Australia

  • India

  • Brazil

  • Mexico

  • South Africa

  • Singapore

The United States Accounted For A Substantial Percentage Of Publicly Reported Victims Due To The Group's Focus On High-value Enterprises.

Data Exfiltration Capabilities

Before Encryption, Attackers Often Collected:

Sensitive Corporate Data

  • Financial Reports

  • Customer Information

  • Employee Records

  • Intellectual Property

  • Internal Communications

Credential Information

  • Domain Credentials

  • VPN Credentials

  • Browser Passwords

  • Administrative Accounts

This Data Theft Enabled Double-extortion Attacks Where Victims Faced Both Operational Disruption And Potential Public Exposure.

ProLock Ransomware Indicators Of Compromise (IOCs)

The Following IOCs Are Representative Examples Associated With ProLock Investigations. Organizations Should Validate Indicators Against Current Threat Intelligence Feeds Before Deployment.

Ransom Note Names

ProLock_README.txt
README.txt
RECOVER_FILES.txt

Suspicious File Extensions

.proLock
.locked
.enc

Suspicious Processes

prolock.exe
Update.exe
Encryptor.exe

Common Behavioral Indicators

  • Mass File Encryption

  • Shadow Copy Deletion

  • Backup Destruction

  • Ransom Note Deployment

  • Credential Dumping

  • Network Share Enumeration

  • Lateral Movement Activity

Command-Line Indicators

vssadmin Delete Shadows /all /quiet
Wbadmin Delete Catalog
Bcdedit /set Recoveryenabled No

Network Indicators

Organizations Should Investigate:

  • Connections To Unknown External IP Addresses

  • Data Exfiltration Traffic

  • Suspicious PowerShell Communications

  • Large Outbound Transfers Before Encryption

MITRE ATT&CK Techniques

The Following MITRE ATT&CK Techniques Are Commonly Associated With ProLock Operations.

ATT&CK ID Technique
T1566 Phishing
T1078 Valid Accounts
T1133 External Remote Services
T1021.001 Remote Desktop Protocol
T1021.002 SMB/Windows Admin Shares
T1087 Account Discovery
T1018 Remote System Discovery
T1082 System Information Discovery
T1003 OS Credential Dumping
T1555 Credentials From Password Stores
T1059.001 PowerShell
T1105 Ingress Tool Transfer
T1041 Exfiltration Over C2 Channel
T1486 Data Encrypted For Impact
T1490 Inhibit System Recovery
T1562 Impair Defenses
T1036 Masquerading
T1070 Indicator Removal On Host

ATT&CK Tactics

ProLock Activity Spans Numerous ATT&CK Tactics:

  • Initial Access

  • Execution

  • Persistence

  • Privilege Escalation

  • Defense Evasion

  • Credential Access

  • Discovery

  • Lateral Movement

  • Collection

  • Command And Control

  • Exfiltration

  • Impact

Detection Rules

Sigma Rule – Shadow Copy Deletion

title: Shadow Copy Deletion Activity
Id: Prolock-shadow-copy-deletion
Status: Experimental

Logsource:
  Product: Windows
  Category: Process_creation

Detection:
  Selection:
    CommandLine|contains:
      - "vssadmin Delete Shadows"
      - "wbadmin Delete Catalog"

  Condition: Selection

Level: High

Sigma Rule – Ransomware File Encryption Activity

title: Potential ProLock File Encryption
Id: Prolock-file-encryption
Status: Experimental

Logsource:
  Product: Windows
  Category: File_event

Detection:
  Selection:
    TargetFilename|contains:
      - ".proLock"
      - ".locked"

  Condition: Selection

Level: Critical

Sigma Rule – Suspicious PowerShell Activity

title: Suspicious PowerShell Execution
Id: Prolock-powershell
Status: Experimental

Logsource:
  Product: Windows
  Category: Process_creation

Detection:
  Selection:
    Image|endswith:
      - Powershell.exe

  Condition: Selection

Level: Medium

YARA Rule Example

rule ProLock_Ransomware
{
    Meta:
        Description = "Detect Possible ProLock Artifacts"

    Strings:
        $a = "ProLock"
        $b = "RECOVER_FILES"
        $c = "vssadmin Delete Shadows"

    Condition:
        Any Of Them
}

Behavioral Detection Opportunities

Security Teams Should Monitor For:

  • Rapid File Encryption Activity

  • Large-scale File Renaming

  • Creation Of Ransom Notes

  • Shadow Copy Deletion

  • Credential Dumping Activity

  • Unexpected PowerShell Execution

  • Lateral Movement Attempts

  • Network Share Access Spikes

  • Data Exfiltration Behavior

Behavioral Analytics Often Provide Earlier Detection Than Signature-based Approaches.

Prevention And Mitigation

User Security Controls

  • Avoid Opening Suspicious Email Attachments.

  • Verify External Communications.

  • Report Phishing Attempts.

Enterprise Security Controls

  • Deploy Endpoint Detection And Response (EDR).

  • Restrict RDP Access.

  • Implement Network Segmentation.

  • Enforce Least Privilege.

Backup Protection

  • Maintain Offline Backups.

  • Protect Backup Servers.

  • Test Restoration Procedures Regularly.

Credential Security

  • Enable Multi-factor Authentication.

  • Rotate Privileged Credentials.

  • Monitor Account Misuse.

Vulnerability Management

  • Patch VPN Systems.

  • Patch Exposed Services.

  • Continuously Scan For Vulnerabilities.

Frequently Asked Questions (FAQ)

What Is ProLock Ransomware?

ProLock Is An Enterprise-focused Ransomware Family That Encrypts Files And Often Steals Sensitive Data Before Demanding Payment.

How Does ProLock Spread?

It Commonly Spreads Through Phishing Campaigns, QakBot Infections, Vulnerable VPN Appliances, Exposed RDP Services, And Compromised Credentials.

Which Operating Systems Are Affected?

ProLock Primarily Targets Windows Workstations And Windows Server Environments.

Does ProLock Steal Data?

Yes. Many ProLock Attacks Included Data Exfiltration Prior To Encryption As Part Of A Double-extortion Strategy.

What Files Does ProLock Encrypt?

It Targets Documents, Databases, Images, Archives, Source Code, Multimedia Files, And Other Business-critical Data.

How Many Systems Were Affected?

Although Exact Figures Remain Unavailable, Thousands To Tens Of Thousands Of Systems Were Likely Affected Across Hundreds Of Compromised Organizations Worldwide.

Which Countries Were Impacted?

Victims Were Reported Across North America, Europe, Asia-Pacific, South America, And Africa, Including The United States, Canada, United Kingdom, Germany, Australia, India, And Brazil.

Can ProLock Encrypt Network Shares?

Yes. ProLock Can Identify And Encrypt Accessible Network Shares And Mapped Drives.

How Can Organizations Detect ProLock?

Detection Can Be Achieved Through EDR Solutions, Behavioral Monitoring, IOC Matching, ATT&CK-based Threat Hunting, And Ransomware Activity Analytics.

Can Files Be Recovered Without Paying The Ransom?

Recovery Depends On Available Backups, Incident Response Actions, And The Specific Attack Circumstances. Organizations Should Prioritize Restoration From Secure Backups And Consult Incident Response Professionals Before Considering Ransom Payments.

Conclusion

ProLock Ransomware Emerged As A Highly Effective Enterprise Threat By Combining Network Intrusion Techniques, Credential Theft, Data Exfiltration, And Large-scale File Encryption. Its Evolution From The PwndLocker Family And Its Association With Malware Delivery Mechanisms Such As QakBot Enabled Attackers To Compromise High-value Organizations Across Multiple Sectors.

The Ransomware's Use Of Double Extortion Significantly Increased Pressure On Victims, While Its Ability To Move Laterally And Encrypt Network Resources Amplified Operational Disruption. Organizations Can Reduce Their Risk By Implementing Layered Security Controls, Enforcing Strong Authentication, Maintaining Offline Backups, Monitoring For ATT&CK-aligned Behaviors, And Continuously Hunting For Indicators Of Compromise.

A Proactive Cybersecurity Strategy That Combines Prevention, Detection, Response, And Recovery Remains The Most Effective Defense Against ProLock And Similar Ransomware Operations.

Malware Removal Guide For PC

Malware Removal Guide For Web Browsers

Prevent Future Malware

Summary - Malware Removal Guide

Guide For VPN Uses

Malware Removal Guide – PC And Web Browser

PART 1: Remove Malware From Your PC (Windows)

Step 1: Boot Into Safe Mode

  • Restart Your PC And Press F8 (or Shift + F8 For Some Systems) Before Windows Loads.

  • Choose Safe Mode With Networking.

Safe Mode Prevents Most Malware From Loading.

Step 2: Uninstall Suspicious Programs

  1. Press Win + R, Type appwiz.cpl, And Press Enter.

  2. Sort By Install Date And Uninstall Unknown Or Recently Added Programs.

Step 3: Run A Malware Scan

Use A Trusted Anti-malware Tool:

Malwarebyteshttps://www.malwarebytes.com

Screenshot Of Malwarebytes - Visit Links

Microsoft Defender – Built Into Windows 10/11

Bitdefender GravityZone Business Security

Emsisoft Anti-Malware Home

HitmanPro, ESET Online Scanner, Or Kaspersky Virus Removal Tool

ZoneAlarm Pro Antivirus + Firewall NextGen

VIPRE Antivirus - US And Others Countries, | India

VIPRE Antivirus - Mac

F-Secure Total - Global

Run A Full Scan And Delete/quarantine Detected Threats.

Step 4: Delete Temporary Files

  1. Press Win + R, Type temp → Delete All Files.
  2. Press Win + R, Type %temp% → Delete All Files.

  3. Use Disk Cleanup: cleanmgr In The Run Dialog.

Step 5: Reset Hosts File

  1. Go To: C:\Windows\System32\drivers\etc

  2. Open hosts File With Notepad.

  3. Replace With Default Content:

Step 6: Check Startup Programs

  1. Press Ctrl + Shift + Esc → Open Task Manager

  2. Go To Startup Tab

  3. Disable Any Suspicious Entries.

Step 7: Reset Network Settings

  1. Open Command Prompt As Administrator.

  2. Run These Commands:

netsh Winsock Reset

netsh Int Ip Reset

ipconfig /flushdns

PART 2: Remove Malware From Web Browsers

? Common Signs Of Malware In Browser:

  • Unwanted Homepage Or Search Engine

  • Pop-ups Or Redirects

  • Unknown Extensions Installed

Step 1: Remove Suspicious Extensions

For Chrome:

  • Go To: chrome://extensions/

  • Remove Anything Unfamiliar

For Firefox:

  • Go To: about:addons → Extensions

  • Remove Suspicious Add-ons

For Edge:

  • Go To: edge://extensions/

  • Uninstall Unknown Add-ons

Step 2: Reset Browser Settings

Chrome:

  • Go To chrome://settings/reset → "Restore Settings To Their Original Defaults"

Firefox:

  • Go To about:support → "Refresh Firefox"

Edge:

  • Go To edge://settings/resetProfileSettings → "Reset Settings"

Step 3: Clear Cache And Cookies

All Browsers:

  • Use Ctrl + Shift + Del → Select All Time

  • Clear Cookies, Cached Files, And Site Data

Step 4: Check Search Engine & Homepage Settings

Make Sure They Are Not Hijacked.

  • Chrome: chrome://settings/search

  • Firefox: about:preferences#search

  • Edge: edge://settings/search

Step 5: Use Browser Cleanup Tools (Optional)

  • Chrome: chrome://settings/cleanup

  • Use Malwarebytes Browser Guard For Real-time Browser Protection.

FINAL TIPS: Prevent Future Malware

  • Always Download Software From Trusted Sources.

  • Keep Windows, Browsers, And Antivirus Updated.

  • Avoid Clicking Suspicious Links Or Ads.

  • Use ad Blockers And reputable Antivirus Software.

  • Backup Your Files Regularly.

Short Summary: Malware Removal Guide (PC & Web Browser)

To Remove Malware From Your Windows PC, Start By Booting Into Safe Mode, Uninstalling Suspicious Programs, And Scanning With Trusted Anti-malware Tools Like Malwarebytes. Clear Temporary Files, Reset Your Network Settings, And Check Startup Apps For Anything Unusual.

For web Browsers, Remove Unwanted Extensions, Reset Browser Settings, Clear Cache And Cookies, And Ensure Your Homepage And Search Engine Haven’t Been Hijacked. Use Cleanup Tools Like Chrome Cleanup Or Browser Guard For Added Protection.

?? Prevention Tips: Keep Software Updated, Avoid Suspicious Downloads, And Use Antivirus Protection Plus Browser Ad Blockers. Regular Backups Are Essential.

VPN - How To Use IT

1. Choose A Trusted VPN Provider

  • Why It Matters: Not All VPNs Offer Malware Protection.

  • What To Look For: Providers With built-in Malware/ad/tracker Blockers (e.g., NordVPN’s Threat Protection, ProtonVPN’s NetShield).

  • Nord VPN
  • Hide.me VPN

2. Enable Kill Switch

  • Purpose: Prevents Data Leaks If Your VPN Connection Drops.

  • Benefit: Ensures Your Real IP And Browsing Activity Aren’t Exposed To Malware-distributing Websites.

3. Use VPN With DNS Leak Protection

  • Why It Matters: DNS Leaks Can Expose Your Online Activity To Attackers.

  • Solution: Enable DNS Leak Protection In Your VPN Settings Or Use A Secure DNS Like Cloudflare (1.1.1.1).

4. Avoid Free VPNs

  • Risk: Free VPNs Often Contain Malware, Sell User Data, Or Lack Security Features.

  • Better Option: Use Reputable Paid VPNs That Offer security Audits And Transparent Privacy Policies.

5. Use VPN With Anti-Phishing Tools

  • Some VPNs Block Known Phishing And Malicious Sites.

  • Example: Surfshark’s CleanWeb, CyberGhost’s Content Blocker.

6. Keep Your VPN App Updated

  • Reason: Security Patches Fix Known Vulnerabilities.

  • Tip: Enable Auto-updates Or Check For Updates Weekly.

. Use VPN On All Devices

  • Scope: Malware Can Enter Through Phones, Tablets, Or IoT Devices.

  • Solution: Install VPN Apps On Every Internet-connected Device.

8. Don’t Rely On VPN Alone

  • Fact: VPNs Do Not Remove Or Detect Malware On Your System.

  • Complement It With:

    • Antivirus Software

    • Firewall

    • Browser Extensions For Script Blocking

9. Avoid Clicking Unknown Links While VPN Is On

  • VPN Encrypts Traffic But Can’t Stop Malware From Executing If You Download Infected Files.

10. Use VPN With Split Tunneling Cautiously

  • Split Tunneling Allows Certain Apps/sites To Bypass VPN.

  • Tip: Never Exclude Browsers, Email Clients, Or Download Managers From VPN Tunneling.

Short Note - VPN Uses

A VPN (Virtual Private Network) Enhances Your Online Privacy By Encrypting Your Internet Traffic And Masking Your IP Address. It Protects Your Data On Public Wi-Fi, Hides Browsing Activity From Hackers And ISPs, And Helps Bypass Geo-restrictions. VPNs Also Add A Layer Of Defense Against Malware By Blocking Malicious Websites And Trackers When Using Advanced Features. However, A VPN Does Not Remove Existing Malware Or Act As Antivirus Software. For Full Protection, Combine VPN Use With Antivirus Tools, Regular Software Updates, And Cautious Browsing Habits. Always Choose A Reputable VPN Provider With Strong Security And Privacy Policies.

ProLock Ransomware, ProLock Ransomware Removal, Remove ProLock Ransomware, Delete ProLock Ransomware, Uninstall ProLock Ransomware, Get Rid Of ProLock