A Fistful of Bitcoins: Pwndlocker Ransomware Threatens Cities and Enterprises

Delaware, USA – March 3, 2020 – Another group of cybercriminals is hunting for big payouts attacking systems of local governments and companies encrypting them with PwndLocker ransomware. As reported by BleepingComputer, the new ransomware strain appeared at the end of last year and since then the group conducted a number of successful attacks demanding a ransom payment of $175,000 to $660,000 in bitcoins, depending on the success of the attack and the size of the organization. It is currently unknown whether cybercriminals managed to get at least one payment. Lasalle County in Illinois is one of the latest victims of PwndLocker ransomware. “The ransomware attack has caused technology delays, such as county e-mail not functioning. LaSalle County has been working with the FBI, the Department of Homeland Security, and the Illinois Department of Innovation and Technology. Officials say in the statement that the county is not planning to pay a ransom as ransomware attackers generally don’t provide all of the data back,” WSPY reported. Attackers demanded 50 bitcoins for decryptor and threaten to publish stolen data, as other high-stakes players do. But it is worth noting that so far the cybercriminals have not provided evidence that they managed to steal the data. Cybercriminals attack not only targets in the United States, yesterday they encrypted systems in the City of Novi Sad in Serbia.

There is currently no information on how attackers infiltrate a network of organizations and spread PwndLocker across a network. The ransomware uses the ‘net stop’ command to disable a variety of Windows services, terminates processes related to security software, backup applications, and database servers, as well as clears the Shadow Volume Copies. You can secure your organization by deploying Ransomware Hunter rule pack that leverages statistical profiling and behavioral analysis methods to spot signs of ransomware attack at every stage of Cyber Kill Chain: https://my.socprime.com/en/integrations/ransomware-hunter