Since March 2020, unknown cyber actors using ProLock ransomware have exfiltrated data from victim organizations and threatened to publicly release the data unless the victim pays the ransom. ProLock ransomware has infected victims in the healthcare, financial, construction, and legal sectors, as well as the industrial base and government agencies. ProLock actors have employed several initial attack vectors to compromise systems, including phishing emails containing an attached variant of the Qakbot Trojan, leveraging improper system configurations and/or stolen credentials, and usingCobalt Strike1 to facilitate the installation of the malicious files onto a victim’s computer system. ProLock actors first exfiltrated data from victim organizations to a cloud-based file sharing platform using a command line file syncing program called rclone.exe, which is disguised on the victim’s system as svchost.exe. ProLock actors encrypt data on workstations and servers and leave a ransom note instructing the victims to visit a Tor page and log in using a unique ID included in the ransom note. The Tor page displays the ransom price and digital currency wallet address for the ransom payment. The ransom note indicates that the decryption keys will be stored for one month and provides a contact email address.