A new ransomware called PwndLocker
appeared in early March , targeting corporate networks, but after a short time Emsisoft researchers Michael Gillespie and Fabian Wosar identified a bug that allowed them to create a decryptor to recover the files without paying the ransom.
In the following weeks, the ransomware changed to ProLock Ransomware
. According to what was discovered by the researcher Sophos PeterM , the new version is conveyed through a BMP image called WinMgr.bmp . The ransomware executable is embedded in the image. The BMP file is displayed correctly but it also contains binary data which are subsequently reassembled by a PowerShell script which injects them directly into memory.
The ransomware encrypts the files on the device by adding the .proLock
In each folder that has been scanned, ProLock will create a ransom note called [How to recover files] .txt containing instructions and payment information.
ProLock Ransomware Signatures
ProLock Ransomware Download