PwndLocker Ransomware

The PwndLocker ransomware came to light in late 2019 and has made an enormous impact already with unprecedented ransom demands for some targets. PwndLocker has targeted networks of businesses and local governments in the country with ransom demands in excess of $650,000.

What is PwndLocker?

Like most ransomware, PwndLocker encrypts files on the computer using RSA-2048 encryption. It also creates a ransom note titled “H0w_T0_rec0very_Files.txt”, which is placed in any folder with encrypted files. The encrypted files have their file extension changed to either .key or .pwnd. Different versions of the ransomware use different extensions. It doesn’t encrypt every file on a device. It leaves behind files in specific folders or with particular file extensions.

Files encrypted by PwndLocker

PwndLocker can disable certain Windows services to encrypt files. It can disable Backup Exec, Microsoft SQL Server, and more. It also tries to delete Shadow Volume copies and prevent antivirus programs from working correctly. It also targets Microsoft Office and Firefox processes.

After all of this setup, it encrypts the files as programmed and creates the ransom note. The ransom note directs people as to how they can pay off the ransom to receive the decryption tool they need to restore their files.

The ransom demand can depend on the size of the network or company targeted by the attack. Victims are to get in touch with the cybercriminals at the set email address to restore their files. Victims are told that if they don’t pay off the ransom within two days, then the ransom amount will increase. The price will be doubled after two weeks, and the decryption key is deleted after a month, meaning that files are lost forever.

Hackers warn victims they have access to their sensitive information and files. They say that the information will be spread across social media if victims don’t pay the ransom. Victims must access a website using the Tor browser to find out how much they have to pay.

Ransomware note for PwndLocker:

Your network have been penetrated and encrypted with a strong algorythm
Backups were either removed or encrypted
No one can help you to recover the network except us
Do not share this link or email. Otherwise, we will have to delete the decryption keys.

To get your files back you have to pay the decryption fee in BTC.
The price depends on the network size, number of employees, and annual revenue.

Download TOR-Browser: https://www.torproject.org/download
Login ax3spapdymip4jpy.onion using your ID XXXX
Or
Contact our support by email xxx@xxx.com
You’ll receive instructions inside.
You should get in touch with us within 2 days after you noticed the encryption to have a good discount.

The decryption key will be stored for 1 month.
The price will be increased by 100% in two weeks.
We also have gathered your sensitive data.
We would share it in case you refuse to pay.

Do not rename or move encrypted files.
Decryption using third-party software is impossible.
Attempts to self-decrypting files will result in loss of your data.

Security experts always recommend that victims never pay off the attacker. There’s no guarantee that files will be restored. There’s also no indication that the ransomware has been removed. They are programmed to persist on computers and a new infection is entirely possible.

How Does PwndLocker Ransomware Get on Computers?

There is no specific method of infection for PwndLocker. It spreads through malicious file downloads, spam email campaigns, illegal downloads, fake software updates, and cracking tools. Trojans help spread other viruses and ransomware as well.

Threat actors send out a large number of spam emails in what is known as a “spray and pray” campaign. The hope is that even a handful of people will open the email and download the attachment that places the virus on the computer. Ransomware spreads through peer-to-peer file sharing, file hosting websites, freeware downloads, unofficial websites, and third-party downloaders. These downloads look harmless and legitimate. When executed, however, they install malware on the computer.

Avoid ransomware infections by following best practices when online; don’t download anything attached to a suspicious or unsolicited email or files from other dubious sources. Don’t forget to keep software updated and have regular backups of your data.

Update March 30^th, 2020 – PwndLocker Rebrands as ProLock Ransomware

Shortly after the start of the March campaign that was targeting enterprise networks with the PwndLocker ransomware and demanding ransom payments ranging from $175 thousand to more than $650 thousand, security researchers were able to find a weakness in the ransomware's code. Fabian Wosar and Michael Gillespie were able to create a decryptor that exploited the weakness and allowed victims of the PwndLocker ransomware to recover their files without paying a ransom.

Following their initial failure, the threat actors removed the flaw in their code that allowed for the creation of the free decryptor. They rebranded the ransomware to ProLock, targeting corporate networks once again.

Security researchers noticed that the ProLock ransomware is distributed through a BMP image file named WinMgr.bmp, which is being stored in C:\ProgramData. The file can be opened in an image viewer, displaying a black screen with a few white dots appearing in the upper right corner. Upon further examination, it was revealed that the ransomware executable is embedded in the image.

The ProLock ransomware has currently been spotted attacking just a few servers. It's yet unknown as to how the hackers got access, but it is suspected that they did so through exposed Remote Desktop services. Considering the fact that the threat actors have full access to the network, it's rather strange that they opted to hide the ransomware executable in a BMP image file. Still, experts say that it was likely done to avoid detection as the ransomware was deployed throughout the network using tools like PSExec and PowerShell Empire.

Apart from the bug fix and the currently unknown distribution method, the ProLock ransomware attack employs the same methods that we have previously seen in PwndLocker infections.

Once launched, the ProLock ransomware will clear all shadow volume copies from the system so that they cannot be used to restore the files once they are encrypted. After that, the ProLock ransomware will begin encrypting files with RSA-2048 encryption and appending them with the .proLock extension. An example of an encrypted picture named vacationphoto.jpg would be vacationphoto.jps.proLock.

As with PwndLocker, the ProLock ransomware doesn't encrypt all the files on the computer. The ProLock ransomware skips the encryption of files in common application folders and operating system, as well as the following extensions: .exe, .lnk, .dll, .msi, .ini, .ico, .sys, .chm, .lng, .hlf, .ttf, .inf, .bat, .cmd, .bac, .bak, .vhd, .bkf, .wbc, .dsk, .win, and .set.

Once all other valuable files are encrypted, the ProLock ransomware will create a ransom note in each folder that it has scanned, named [HOW TO RECOVER FILES].TXT. The ransom note contains the following text:

Your files have been encrypted by ProLock Ransomware using RSA-2048 algorithm.

[.:Nothing personal just business:.]

No one can help you to restore files without our special decryption tool.

To get your files back you have to pay the decryption fee in BTC.
The final price depends on how fast you write to us.

1. Download TOR browser: https://www.torproject.org/
2. Install the TOR Browser.
3. Open the TOR Browser.
4. Open our website in the TOR browser: msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion
5. Login using your ID [random characters]

***If you have any problems connecting or using TOR network:
contact our support by email check1kyourf1les@protonmail.com

[You'll receive instructions and price inside]

The decryption keys will be stored for 1 month.

We also have gathered your sensitive data.
We would share it in case you refuse to pay.

Decryption using third party software is impossible.
Attempts to self-decrypting files will result in the loss of your data.

Each ProLock ransomware executable is hardcoded with a set ransom amount that is assigned to each victim. One of the samples that were tested demanded a ransom payment of 80 Bitcoin, which is worth a little over $500 thousand at the writing of this.

It is advised that you do regular backups of your system that you store on separate devices, especially when you consider the fact that the threat actors have patched their encryption flaw, making free decryption impossible at the moment.