Considering the growing money-making potential of ransomware, more and more criminals are stepping into the niche. Recently, another ransomware has surfaced online that is active in the wild. Dubbed PwndLocker ransomware, it targets businesses and cities to demand a high ransom.
About PwndLocker Ransomware
Researchers from MalwareHunterTeam have analyzed new ransomware that demands big ransoms. Identified as PwndLocker, the ransomware targets Windows systems and stops various services to encrypt data.
Many of the services it targets include Microsoft SQL Server, MySQL, Veeam, Exchange, Zoolz, Acronis, Oracle, Backup Exec, Internet Information Server (IIS). Also, it strikes some security programs as well, such as Kaspersky, Malwarebytes, Sophos, and McAfee.
After infecting a target system, it begins encrypting data files whilst renaming them with a .key or .pwnd extension. Though, this encryption is a selective process where the malware skips any specific system and executable files and files in certain folders.
The Ransomware deletes shadow volume copies to prevent potential recovery of data. Vitali Kremez has quickly shared his analysis in a tweet.
2020-02-21:??#PwndLocker FASM #Ransomware| Lightweight
1⃣Whitelist↪️
'Kaspersky Lab Setup Files' & 'WinDefender' Folder
2⃣Delete Shadows | 3⃣Process & Service AV Killer?Another Seems to Be Targeted Ransomware for High-Value Targets
h/t @malwrhunterteam pic.twitter.com/2uJm09WF2a
— Vitali Kremez (@VK_Intel) February 21, 2020
Once complete, the ransomware places the ransom note file entitled “H0w_T0_Rec0very_Files.txt” through the system and desktop. This note includes instructions for obtaining the decryption key.
What’s peculiar with PwndLocker is its variable demand for ransom that depends on the affordability of the target. As mentioned in their ransom note,
The price depends on the network size, number of employees and annual revenue.
So, there's a ransomware which we just call PwndLocker.
Not coded by skids…
Getting victims all over Earth…
Going for months, with like ~nothing about it public…
"The price depends on the network size, number of employess and annual revenue."@demonslay335
cc @VK_Intel pic.twitter.com/u4arK4Hn7J— MalwareHunterTeam (@malwrhunterteam) February 20, 2020
Active Attacks Reported Recently
PwndLocker attracted the attention of the researchers after it became active in the wild. While the ransomware has been around since 2019, it recently came into limelight after repeated attacks on US cities. A few days earlier, it targeted Lasalle County in Illinois, and demanded 50 BTC in ransom. Although, officials are expressing their refusal to pay the ransom, according to reports.
Likewise, it has also recently targeted the City of Novi Sad in Serbia.
Currently the Ransomware encryption remains uncracked, therefore businesses and cities must ensure applying proactive security measures to prevent attack.
Let us know your thoughts in the comments.