VERY IMPORTANT

In a VISA bulletin, VISA described a deployment technique for TinyPOS that seemed oddly similar to the ProLocker ransomware installation workflow described by Group-IB. After spending time mapping out code-level relationships and VirusTotal submitter relationships, there is evidence to suggest that this is not pure chance. In short, one of the following is likely true: 1. ProLocker and TinyPOS are written by the same author, who also provides a deployment mechanism; or, 2. ProLocker and TinyPOS are written, deployed, and used by the same threat actor; or 3. The ProLocker adversary obtained or modified the TinyPOS source code and also operates in the carding space.