A new ransomware called PwndLocker appeared in early March , targeting corporate networks, but after a short time Emsisoft researchers Michael Gillespie and Fabian Wosar identified a bug that allowed them to create a decryptor to recover the files without paying the ransom.
In the following weeks, the ransomware changed to ProLock Ransomware. According to what was discovered by the researcher Sophos PeterM , the new version is conveyed through a BMP image called WinMgr.bmp . The ransomware executable is embedded in the image. The BMP file is displayed correctly but it also contains binary data which are subsequently reassembled by a PowerShell script which injects them directly into memory.
The ransomware encrypts the files on the device by adding the .proLock extension
In each folder that has been scanned, ProLock will create a ransom note called [How to recover files] .txt containing instructions and payment information.