PwndLocker Ransomware Targeting Municipalities, Enterprise Networks

Posted on March 3, 2020
PLEASE_READ_ME Ransomware Campaign Targeting MySQL Servers
Security researchers discovered a new ransomware family called "PwndLocker" targeting municipalities and enterprise networks. Bleeping Computer learned that PwndLocker has been active since late 2019 and has targeted a variety of U.S. cities and organizations in that span of time. According to one source of the computer self-help site, the new ransomware family was responsible for an attack against Lasalle County in Illinois. Bleeping Computer subsequently contacted the ransomware operators, who said they had demanded 50 bitcoin (approximately $442,000) in exchange for their decryptor. They also said that they had stolen the County's data before encrypting it. Local media reports indicated that Lasalle County had no intention of paying the ransom. The ransom demand in Lasalle County's case wasn't uniquely high for PwndLocker. According to Bleeping Computer's sources, the ransomware had asked for between $175,000 and $660,000 depending on the size of the network affected in previous attacks. In a sample analyzed by Bleeping Computer, the ransomware leveraged the "net stop" command to disable several Windows services such as Microsoft SQL Server, MySQL and Exchange. But PwnedLocker didn't stop there. As the computer self-help site explained in its research:
The ransomware will also target various processes and terminate them if detected. Some of the processes targeted include Firefox, Word, Excel, Access, and other processes related to security software, backup applications, and database servers.
The ransomware also deleted the infected machine's Shadow Volume Copies before moving forward with its encryption routine. At the conclusion of this process, it appended either the ".key" or the ".pwnd" extensions to the files that it had encrypted. It then dropped a ransom note instructing victims to contact either an email address or visit a Tor website for payment instructions.
Screen-Shot-2020-03-03-at-06.55.17.png
PwndLocker's ransom note. (Source: Bleeping Computer) PwndLocker isn't the first ransomware to target organizations' networks. Researchers have also detected a network focus in the SNAKE and Ako families. Acknowledging this, organizations should take steps to protect themselves against a ransomware attack. One of the most important ways they can do this is by following these recommendations to prevent a ransomware infection in the first place.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!