{
	"id": "7cffe831-fabc-45b2-93ea-f1d53d9ffbb5",
	"created_at": "2026-04-06T00:10:59.864438Z",
	"updated_at": "2026-04-10T03:21:42.629505Z",
	"deleted_at": null,
	"sha1_hash": "770dfc5a55b0148318ca213970faa5fcfc3e6bf9",
	"title": "PwndLocker Fixes Crypto Bug, Rebrands as ProLock Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1729412,
	"plain_text": "PwndLocker Fixes Crypto Bug, Rebrands as ProLock Ransomware\r\nBy Lawrence Abrams\r\nPublished: 2020-03-20 · Archived: 2026-04-05 19:37:49 UTC\r\nPwndLocker has rebranded as the ProLock Ransomware after fixing a crypto bug that allowed a free decryptor to be created.\r\nAt the beginning of March, we reported on a new ransomware called PwndLocker that was targeting enterprise networks\r\nand demanding ransoms ranging between $175,000 to over $660,000 depending on the size of the network. \r\nSoon after, Michael Gillespie of ID Ransomware and Fabian Wosar of Emsisoft were able to discover a weakness in the\r\nransomware that allowed them to create a free decryptor for victims to get their files back without paying the ransom.\r\nhttps://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ransomware/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ransomware/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nRebranded as ProLock Ransomware\r\nAfter their initial failure, the developers rebranded their infection as ProLock Ransomware and have started to target\r\ncorporate networks once again.\r\nAccording to Sophos researcher PeterM, the new ProLock Ransomware is being distributed through a BMP image file being\r\nstored in C:\\ProgramData named WinMgr.bmp. Embedded in this image is the ransomware executable.\r\nThis BMP file renders properly in an image viewer, as shown below, with only a few dots appearing in the upper right\r\ncorner.\r\nWinMgr.bmp\r\nIf you view it through a hex editor, though, you can see that it includes binary data embedded in it as well.\r\nhttps://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ransomware/\r\nPage 3 of 7\n\nHex Edit of WinMgr.bmp\r\nThis binary data is then reassembled by a PowerShell script that injects it directly into memory\r\nPowerShell Script\r\nPeter stated that this attack has been seen against a few servers, but it is not quite known how they got access. It is suspected\r\nthat the attackers gained access through exposed Remote Desktop services.\r\n\"They targeted a handful of servers. Not sure how they got in (yet) but I can see quite a few keygens and cracking tools on\r\nthe network, probably just end up being an exposed RDP though :-),\" Peter stated in a Tweet.\r\nAs the attackers have full access to the network, it is unsure why they are hiding the ransomware executable in a BMP image\r\nfile.\r\nIt is most likely being done to evade detection by security software as it deployed throughout the network using tools like\r\nPowerShell Empire or PSExec.\r\nProLock encryption method\r\nOtherwise, a ProLock encryption attack will be the same as the methods used by PwndLocker.\r\nWhen launched it will clear the shadow volume copies on the machine so that they cannot be used to recover files\r\nvssadmin.exe delete shadows /all /quiet\r\nvssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB\r\nvssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=unbounded\r\nIt will then start encrypting files on the computer, while skipping any with the following extensions and files in operating\r\nsystem and common application folders.\r\n.exe, .dll, .lnk, .ico, .ini, .msi, .chm, .sys, .hlf, .lng, .inf, .ttf, .cmd, .bat, .vhd, .bac, .bak, .wbc, .bkf, .set, .\r\nWhen encrypting files it will append the extension .proLock to an encrypted file's name. For example. 1.doc will be\r\nencrypted and named 1.doc.proLock.\r\nhttps://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ransomware/\r\nPage 4 of 7\n\nProLock encrypted files\r\nIn each folder that has been scanned for files, ProLock will create a ransom note named [HOW TO RECOVER\r\nFILES].TXT that contain instructions on how to connect to a Tor for payment information.\r\nProLock Ransom Note\r\nAs each ProLock ransomware executable is hard coded with a ransom amount assigned to a particular victim, from the\r\nsample we analyzed the ransom amounts continue to be high. This one was for 80 bitcoins or approximately $470,000.\r\nhttps://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ransomware/\r\nPage 5 of 7\n\nProLock Ransomware Tor Payment Site\r\nUnfortunately, with this release the ransomware operators fixed their encryption flaw that made free decryption possible.\r\nVictims will need to recover from backups instead or rebuild their files.\r\nIOCS\r\nHashes:\r\nWinMgr.bmp: a6ded68af5a6e5cc8c1adee029347ec72da3b10a439d98f79f4b15801abd7af0\r\nAssociated Files:\r\n[HOW TO RECOVER FILES].TXT\r\nC:\\Programdata\\WinMgr.xml\r\nC:\\Programdata\\WinMgr.bmp\r\nC:\\Programdata\\clean.bat\r\nC:\\Programdata\\run.bat\r\nProLock Ransom Note:\r\nYour files have been encrypted by ProLock Ransomware using RSA-2048 algorithm.\r\n [.:Nothing personal just business:.]\r\nNo one can help you to restore files without our special decryption tool.\r\nTo get your files back you have to pay the decryption fee in BTC.\r\nThe final price depends on how fast you write to us.\r\n 1. Download TOR browser: https://www.torproject.org/\r\nhttps://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ransomware/\r\nPage 6 of 7\n\n2. Install the TOR Browser.\r\n 3. Open the TOR Browser.\r\n 4. Open our website in the TOR browser: msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion\r\n 5. Login using your ID xxx\r\n ***If you have any problems connecting or using TOR network:\r\n contact our support by email chec1kyourf1les@protonmail.com.\r\n [You'll receive instructions and price inside]\r\nThe decryption keys will be stored for 1 month.\r\nWe also have gathered your sensitive data.\r\nWe would share it in case you refuse to pay.\r\nDecryption using third party software is impossible.\r\nAttempts to self-decrypting files will result in the loss of your data.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ransomware/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ransomware/"
	],
	"report_names": [
		"pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434259,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/770dfc5a55b0148318ca213970faa5fcfc3e6bf9.pdf",
		"text": "https://archive.orkl.eu/770dfc5a55b0148318ca213970faa5fcfc3e6bf9.txt",
		"img": "https://archive.orkl.eu/770dfc5a55b0148318ca213970faa5fcfc3e6bf9.jpg"
	}
}