Ransomware PwndLocker: Recover data without paying a ransom

29. March, 2020

PwndLocker is a new variant of an extortion Trojan that has been in circulation since 2019. The ransomware is specialized for companies and administrative authorities like municipalities and cities. The ransom demands are in the range of several hundred thousand euros or dollars and are to be paid in Bitcoin, as is usual in these attacks. With the threat of publishing data, the demand is being reinforced. In individual cases, this threat has already been fulfilled.

Advanced malware with focus on Windows

The programmers of PwndLocker have developed sophisticated routines to do maximum damage. Affected systems are checked for applications and features that could contain important business data. At the same time, attempts are made to disable security programs and make versions and backup copies unusable. PwndLocker thus represents a very advanced version of known ransomware variants and is very dangerous for potential victims due to its targeted use!

After detailed analysis: weakness discovered

In the city council of Novi Sad (Serbia), PwndLocker encrypted about 50 terabytes of data. After evaluating several systems, security specialist Fabian Wosar from Emisoft discovered a bug in the executable file used individually for each victim. Either the keys used were poorly protected or it was forgotten in the routine to destroy them irretrievably for the victim. Thanks to this error, the encrypted data can now be recovered without paying the ransom.[1]

Proper behavior in ransomware attacks is important

The PwndLocker´s malware code is individually adapted for each victim or contains individual information – exactly this information is needed to decrypt the data. However, some victims have tried to remove all data related to the attack from the system immediately after infection, which destroys exactly the important information needed for recovery.

The recommended procedure in case of an infection therefore starts as usual:

  • Disconnect the system from network, Internet, local LAN, WiFi, etc. as soon as possible.
  • First, create a complete external backup/image of the affected system as quickly as possible to obtain many usable data from the attack.

With such a copy, with a bit of luck it will be possible later to recover data without payment. Because even in malware, errors and weaknesses are often discovered afterwards.


  [1] https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/

Red Teams, Blue Teams, Purple Teaming

Living Off the Land attacks

MSSP of the Year 2024

SIEM

What is a SIEM?

Nozomi Guardian Air
HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download