Ransomware PwndLocker: Recover data without paying a ransom

29. March, 2020

PwndLocker is a new variant of an extortion Trojan that has been in circulation since 2019. The ransomware is specialized for companies and administrative authorities like municipalities and cities. The ransom demands are in the range of several hundred thousand euros or dollars and are to be paid in Bitcoin, as is usual in these attacks. With the threat of publishing data, the demand is being reinforced. In individual cases, this threat has already been fulfilled.

Advanced malware with focus on Windows

The programmers of PwndLocker have developed sophisticated routines to do maximum damage. Affected systems are checked for applications and features that could contain important business data. At the same time, attempts are made to disable security programs and make versions and backup copies unusable. PwndLocker thus represents a very advanced version of known ransomware variants and is very dangerous for potential victims due to its targeted use!

After detailed analysis: weakness discovered

In the city council of Novi Sad (Serbia), PwndLocker encrypted about 50 terabytes of data. After evaluating several systems, security specialist Fabian Wosar from Emisoft discovered a bug in the executable file used individually for each victim. Either the keys used were poorly protected or it was forgotten in the routine to destroy them irretrievably for the victim. Thanks to this error, the encrypted data can now be recovered without paying the ransom.[1]

Proper behavior in ransomware attacks is important

The PwndLocker´s malware code is individually adapted for each victim or contains individual information – exactly this information is needed to decrypt the data. However, some victims have tried to remove all data related to the attack from the system immediately after infection, which destroys exactly the important information needed for recovery.

The recommended procedure in case of an infection therefore starts as usual:

  • Disconnect the system from network, Internet, local LAN, WiFi, etc. as soon as possible.
  • First, create a complete external backup/image of the affected system as quickly as possible to obtain many usable data from the attack.

With such a copy, with a bit of luck it will be possible later to recover data without payment. Because even in malware, errors and weaknesses are often discovered afterwards.

  [1] https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/

Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
SMTP Smuggling
Cyber-Risiken in der Ferienzeit
Dynamische Cybersicherheit
Harmony Mobile by Check Point
EU Machinery Regulation
Sergejs Harlamovs, Malware-Analyst bei IKARUS

Plugin IdaClu accelerates malware analysis

IdaClu: IKARUS malware analyst Sergejs Harlamovs wins Hex-Rays plugin contest


IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500


Support hotline:
+43 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download