![]() ![]() In our example, the cost of decryption is 60 Bitcoins. Victims can find the cost of the decryption key on the Tor payment website. Victims are also informed that some of their sensitive information will be shared on social networks and public media, unless they pay the ransom within a few days. It is mentioned that victims who contact PwndLocker's developers within two days can purchase the decryption tool/key for a reduced sum.ĭecryption keys are stored for one month and the cost of these is doubled after two weeks of encryption. Instructions about how to purchase the tools/keys are provided in the Tor website or can be received by contacting cyber criminals via the email address. It is stated that the cost depends on the network size, number of employees and annual revenue. The message within the "H0w_T0_Rec0very_Files.txt" text file and Tor website (which can be accessed through this file) states that only the cyber criminals behind PwndLocker can provide decryption tools/keys. It then encrypts files and creates ransom messages. Research shows that PwndLocker targets Microsoft Excel, Word and Mozilla Firefox processes as well. It also attempts to delete Shadow Volume copies and terminate AV solution (e.g., Kaspersky, McAfee, Malwarebytes, Sophos) processes and services. For example, Acronis, Backup Exec, Exchange, Internet Information Server, MySQL, Microsoft SQL Server, Oracle, Veeam, Zoolz. Research shows that this ransomware can perform part of the encryption by attempting to disable various Windows services. It also skips files that are located in certain folders. Note that this ransomware does not encrypt all files - it leaves files with certain extensions unaffected. Therefore, PwndLocker appends varying extensions in different cases.įor example, in one case it renames a file such as " 1.jpg" to " 1.jpg.key", and in another, it renames the file to " 1.jpg.pwnd", and so on. At the time of research, it appended the ". Like most programs of this type, PwndLocker renames encrypted files by appending an extension. PwndLocker encrypts files with the RSA-2048 encryption algorithm and creates a ransom message within a text file named " H0w_T0_Rec0very_Files.txt", which can be found in folders that contain encrypted data. Research shows that cyber criminals behind PwndLocker ransomware target business networks and local governments.
0 Comments
Leave a Reply. |