PwndLocker is a new variant of an extortion Trojan that has been in circulation since 2019. The ransomware is specialized for companies and administrative authorities like municipalities and cities. The ransom demands are in the range of several hundred thousand euros or dollars and are to be paid in Bitcoin, as is usual in these attacks. With the threat of publishing data, the demand is being reinforced. In individual cases, this threat has already been fulfilled.
Advanced malware with focus on Windows
The programmers of PwndLocker have developed sophisticated routines to do maximum damage. Affected systems are checked for applications and features that could contain important business data. At the same time, attempts are made to disable security programs and make versions and backup copies unusable. PwndLocker thus represents a very advanced version of known ransomware variants and is very dangerous for potential victims due to its targeted use!
After detailed analysis: weakness discovered
In the city council of Novi Sad (Serbia), PwndLocker encrypted about 50 terabytes of data. After evaluating several systems, security specialist Fabian Wosar from Emisoft discovered a bug in the executable file used individually for each victim. Either the keys used were poorly protected or it was forgotten in the routine to destroy them irretrievably for the victim. Thanks to this error, the encrypted data can now be recovered without paying the ransom.
Proper behavior in ransomware attacks is important
The PwndLocker´s malware code is individually adapted for each victim or contains individual information – exactly this information is needed to decrypt the data. However, some victims have tried to remove all data related to the attack from the system immediately after infection, which destroys exactly the important information needed for recovery.
The recommended procedure in case of an infection therefore starts as usual:
- Disconnect the system from network, Internet, local LAN, WiFi, etc. as soon as possible.
- First, create a complete external backup/image of the affected system as quickly as possible to obtain many usable data from the attack.
With such a copy, with a bit of luck it will be possible later to recover data without payment. Because even in malware, errors and weaknesses are often discovered afterwards.
We are looking forward to hearing from you!
IKARUS Security Software GmbH
Phone: +43 (0) 1 58995-0
+43 (0) 1 58995-500