PwndLocker Ransomware is attacking the networks of companies and local governments in the United States (USA). Attackers demand a ransom that can range from 175,000 to 660,000 US dollars. In the ransom message, the attackers say they will keep the decryptor for a month and urge victims to contact them within two days to get a "discount". Also, after 2 weeks the price doubles. Another threat to victims is that they will release sensitive information they have gathered from the organization's network to the public.
PwndLocker get an update and rename itself to Prolock Ransomware
When PwndLocker ransomware is executed on the victim's computer, it tries to disable a variety of Windows services using the 'net stop' command. The ransomware will also verify some software processes and terminate them if detected. Some of the software selected are Firefox, Word, Excel, security software, backup applications, among others. PwdLkocker deletes the instant volume copies, this does so that these files cannot be recovered, for this it executes the following commands:
vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=unbounded
The encrypted files have the extensions .key and .pwnd depending on the victim.
PwndLocker Ransomware Signatures
PwndLocker Ransomware Download