PwndLocker Ransomware

PwndLocker Ransomware: A Targeted Threat Aimed at Enterprises and Public Sector Networks

PwndLocker ransomware, first identified in late 2019, is a file-encrypting malware designed to attack large organizations, municipal governments, and critical infrastructure providers. Known for its high ransom demands and wide-scale disruption, PwndLocker encrypts critical data and systems, often paralyzing victims’ operations until a ransom is paid. Demands typically ranged from $175,000 to over $660,000, paid in Bitcoin, depending on the size and importance of the target.

Introduction to PwndLocker Ransomware

PwndLocker gained notoriety for its manual, targeted attacks, exploiting Remote Desktop Protocol (RDP) services and weak network defenses to gain unauthorized access to enterprise systems. After infiltrating a network, attackers carefully mapped out critical systems before deploying AES-256 encryption to lock important files. Victims were presented with ransom notes threatening data destruction or public leaks if payments were not made. In March 2020, the PwndLocker operators rebranded their operation as ProLock, continuing similar tactics under the new name.

---

1. How PwndLocker Ransomware Works

Infection Mechanism:
PwndLocker attackers gained initial access to victim networks primarily through brute-force attacks on Remote Desktop Protocol (RDP) services with weak or reused credentials. In some cases, the attackers exploited unpatched vulnerabilities in exposed systems or used phishing emails to gain a foothold. Once inside the network, the attackers conducted manual reconnaissance to map out systems, escalate privileges, and identify high-value targets before deploying the ransomware.

Encryption Process and Ransom Demand:
After gaining control of key systems, PwndLocker encrypted files using AES-256 encryption, securing the encryption keys with RSA-2048 public-key encryption. Encrypted files had the extension .pwnd appended to them. Victims were presented with a ransom note, typically labeled HACKED.TXT, instructing them to contact the attackers via a Tor-based website or encrypted email. The ransom notes often included threats to leak sensitive data or destroy decryption keys if the ransom was not paid promptly.

---

2. History and Notable Campaigns

Origin and Discovery:
PwndLocker was first identified in December 2019. It was one of the many ransomware strains at the time that focused on targeted attacks against large, high-value organizations, including municipal governments, schools, and corporations.

Notable Campaigns:

• Several U.S. cities and counties were hit by PwndLocker in early 2020, including a notable attack against the City of Lasalle, Illinois, which disrupted local government services.
• Victims often experienced extended downtime, with encrypted systems including file servers, databases, and virtualized environments.

In March 2020, the operators behind PwndLocker rebranded their operations under the name ProLock, using similar tactics and attack methodologies.

---

3. Targets and Impact

Targeted Victims and Sectors:
PwndLocker primarily targeted:

• Municipal governments and local authorities
• Healthcare institutions
• Educational organizations
• Large enterprises in the private sector

Victims were chosen based on their network vulnerabilities, perceived ability to pay, and critical reliance on IT infrastructure.

Consequences:

• Victims faced loss of access to essential data, leading to operational shutdowns and public service disruptions.
• Some organizations were forced to pay ransoms due to the high cost and time needed for recovery through traditional means.
• There was also a reputational impact, as some attacks became publicized in media reports.

---

4. Technical Details

Payload Capabilities:

• File Encryption: Targets a wide range of file types, including databases, documents, and backups.
• Encryption Algorithms: Utilizes AES-256 for encrypting files and RSA-2048 for securing encryption keys.
• Selective Targeting: Excludes certain directories (e.g., Windows system folders) to avoid rendering the operating system unusable and increase the likelihood of ransom payment.
• Persistence and Evasion: Removes system backups and disables shadow copies to prevent easy restoration of data.

Evasion Techniques:

• Performs manual reconnaissance to identify valuable data stores before deployment.
• Deletes Volume Shadow Copies and disables recovery options to hinder backup restoration efforts.
• Avoids encrypting files critical to system boot to keep the victim’s systems operational enough to read ransom instructions.

---

5. Preventing PwndLocker Ransomware Infections

Best Practices:

• Secure RDP services with strong, unique passwords and multi-factor authentication (MFA).
• Limit RDP access through VPNs or firewall rules to restrict remote access to trusted IP addresses.
• Regularly patch and update systems, especially those exposed to the internet.
• Conduct employee training on recognizing and avoiding phishing emails.
• Maintain regular, offline backups of critical data and ensure backups are encrypted and tested for integrity.

Recommended Security Tools:

• EDR (Endpoint Detection and Response) solutions that can detect lateral movement and credential theft.
• Next-gen firewalls to restrict remote access and monitor unusual login attempts.
• SIEM (Security Information and Event Management) platforms for monitoring potential threats and policy violations.

---

6. Detecting and Removing PwndLocker

Indicators of Compromise (IoCs):

• Presence of encrypted files with the .pwnd extension.
• Ransom note files named HACKED.TXT.
• Unusual network activity, including remote access from unfamiliar IP addresses.
• Deletion of shadow copies and backups.
• Sudden spikes in CPU usage or disk I/O consistent with encryption activities.

Removal Steps:

1. Immediately disconnect affected systems from the network to prevent further encryption or data exfiltration.
2. Conduct a forensic investigation to determine the entry point and scope of the infection.
3. Use antivirus/EDR tools to detect and remove any malware components.
4. Restore encrypted files from clean, offline backups, ensuring that the infection has been eradicated first.
5. Reset all user and administrative credentials and implement MFA across all accounts.

Professional Help:
Consider engaging cybersecurity incident response teams for recovery assistance, legal compliance, and data breach notifications.

---

7. Response to a PwndLocker Attack

Immediate Steps:

• Notify internal IT security teams, law enforcement, and relevant authorities.
• Begin containment and eradication procedures immediately.
• Evaluate data exfiltration risks and prepare for potential data breach disclosures, depending on regulatory requirements.

---

8. Legal and Ethical Implications

Legal Considerations:

• Organizations may be subject to data breach notification laws (e.g., GDPR, HIPAA, CCPA) if sensitive information was exfiltrated.
• Paying a ransom could have legal ramifications, particularly if the transaction involves sanctioned entities.

Ethical Considerations:

• Paying ransoms can fund future criminal activities and encourage further attacks.
• Organizations have an ethical obligation to protect their customers' and stakeholders' data by investing in cybersecurity measures.

---

9. Resources and References

• CISA advisories on securing RDP and defending against ransomware
• No More Ransom Project for prevention resources and decryption tools (when available)
• Trend Micro Threat Encyclopedia: Ransom.Win32.PWNDLOCKER.A and Ransom.Win32.PWNDLOCKER.B
• Emsisoft: Decryption solution for PwndLocker ransomware

---

10. FAQs about PwndLocker Ransomware

Q: What is PwndLocker ransomware?
PwndLocker is a ransomware strain that encrypts files on enterprise networks and demands ransom payments for decryption.

Q: How does PwndLocker spread?
It spreads through brute-force RDP attacks, phishing emails, and exploitation of network vulnerabilities.

Q: Is there a public decryption tool for PwndLocker?
No. Victims must either restore from backups or negotiate with attackers, though the latter is discouraged by law enforcement.

---

11. Conclusion

PwndLocker ransomware demonstrated how targeted attacks on large organizations can be devastating, both operationally and financially. With its evolution into ProLock ransomware, the threat actors behind PwndLocker showed adaptability and persistence. Organizations must prioritize proactive security, user training, and strong backup strategies to defend against ransomware threats like PwndLocker.

 

 

« Back to the Virus Information Library

« Back to the Security Center