{
	"id": "63008b65-0b39-451e-9dd8-aa86144a287c",
	"created_at": "2026-04-06T00:18:59.781096Z",
	"updated_at": "2026-04-10T03:20:03.907121Z",
	"deleted_at": null,
	"sha1_hash": "db959694eeb086a64c86840b0c88e82ad27b52db",
	"title": "New PwndLocker Ransomware Targeting U.S. Cities, Enterprises",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1977535,
	"plain_text": "New PwndLocker Ransomware Targeting U.S. Cities, Enterprises\r\nBy Lawrence Abrams\r\nPublished: 2020-03-02 · Archived: 2026-04-05 20:00:42 UTC\r\nDriven by the temptation of big ransom payments, a new ransomware called PwndLocker has started targeting the networks\r\nof businesses and local governments with ransom demands over $650,000.\r\nThis new ransomware began operating in late 2019 and has since encrypted a stream of victims ranging from local cities to\r\norganizations.\r\nBleepingComputer has been told that the ransom amounts being demanded by PwndLocker range from $175,000 to over\r\n$660,000 depending on the size of the network. \r\nhttps://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nIt is not known if any of these victims have paid at this time.\r\nPwndLocker says they encrypted Lasalle County's network\r\nA source recently told BleepingComputer that the ransomware attack against Lasalle County in Illinois was conducted by\r\nthe operators of the PwndLocker Ransomware.\r\nWhen asked by BleepingComputer, the ransomware operators said they are behind the attack and are demanding a 50\r\nbitcoin ransom ($442,000) for a decryptor.\r\nThe attackers have also told BleepingComputer that they have stolen data from the county before encrypting the network.\r\nFrom an image and a list of folders shared with BleepingComputer by the attackers, it does look like files were stolen from\r\nthe county.\r\nLocal media reports that Lasalle County has no plans on paying the ransom.\r\nBleepingComputer has contacted Lasalle County via email for confirmation but the emails were rejected. We have also left a\r\nvoicemail but have not heard back at this time.\r\nUpdate 3/3/2020 8:19 AM: PwndLocker has also encrypted the network for the City of Novi Sad in Serbia.\r\nUpdate 3/3/2020 7:18 PM: PwndLocker shared an image and a list of folders that they say were stolen from Lasalle\r\nCounty. \r\nThe PwndLocker Ransomware\r\nIn a sample shared with BleepingComputer by MalwareHunterTeam, when executed PwndLocker will attempt to disable a\r\nvariety of Windows services using the 'net stop' command so that their data can be encrypted.\r\nSome of the applications whose services are targeted include Veeam, Microsoft SQL Server, MySQL, Exchange, Acronis,\r\nZoolz, Backup Exec, Oracle, Internet Information Server (IIS), and security software such as Kaspersky, Malwarebytes,\r\nSophos, and McAfee.\r\nThe ransomware will also target various processes and terminate them if detected. Some of the processes targeted include\r\nFirefox, Word, Excel, Access, and other processes related to security software, backup applications, and database servers.\r\nPwndLocker will now clear the Shadow Volume Copies so that they cannot be used to recover files with the following\r\ncommands:\r\nvssadmin.exe delete shadows /all /quiet\r\nvssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB\r\nvssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=unbounded\r\nOnce the system has been prepped for encryption, PwndLocker will begin to encrypt the computer.\r\nWhile encrypting files, it will skip any files that contain one of the following extensions.\r\n.exe, .dll, .lnk, .ico, .ini, .msi, .chm, .sys, .hlf, .lng, .inf, .ttf, .cmd, .bat, .vhd, .bac, .bak, .wbc, .bkf, .set, .\r\nThe ransomware will also skip all files located in the following folders:\r\n$Recycle.Bin\r\nWindows\r\nSystem Volume Information\r\nPerfLogs\r\nCommon Files\r\nDVD Maker\r\nhttps://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/\r\nPage 3 of 7\n\nInternet Explorer\r\nKaspersky Lab\r\nKaspersky Lab Setup Files\r\nWindowsPowerShell\r\nMicrosoft\r\nMicrosoft.NET\r\nMozilla Firefox\r\nMSBuild\r\nWindows Defender\r\nWindows Mail\r\nWindows Media Player\r\nWindows NT\r\nWindows Photo Viewer\r\nWindows Portable Devices\r\nWindows Sidebar\r\nWindowsApps\r\nAll Users\r\nUninstall Information\r\nMicrosoft\r\nAdobe\r\nMicrosoft\r\nMicrosoft_Corporation\r\nPackages\r\nTemp\r\nWhen encrypting files, MalwareHunterTeam has seen it using the .key and .pwnd extensions depending on the victim. The\r\nsample BleepingComputer analyzed uses the .key extension as shown below.\r\nFiles encrypted by PwndLocker\r\nWhen done encrypting, ransom notes named H0w_T0_Rec0very_Files.txt will be located throughout the computer and on\r\nthe Windows desktop.\r\nThese ransom notes will contain an email address and Tor payment site that can be used to get payment instructions and the\r\nransom amount.\r\nhttps://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/\r\nPage 4 of 7\n\nPwndLocker Ransom Note\r\nThe PwndLocker Payment Site allows victims to decrypt two files for free, talk to the ransomware operators and contains\r\nthe ransom amount in bitcoins.\r\nPwndLocker Tor Payment Site\r\nIt is not known at this time if there are any weaknesses in the encryption algorithm.\r\nIOCs\r\nKnown Extensions:\r\n.key\r\n.pwnd\r\nAssociated Files:\r\nhttps://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/\r\nPage 5 of 7\n\nH0w_T0_Rec0very_Files.txt\r\nC:\\Programdata\\lock.xml\r\nRansom Note Text:\r\nYour network have been penetrated and encrypted with a strong algorythm\r\nBackups were either removed or encrypted\r\nNo one can help you to recover the network except us\r\nDo not share this link or email. Otherwise, we will have to delete the decryption keys\r\nTo get your files back you have to pay the decryption fee in BTC.\r\nThe price depends on the network size, number of employess and annual revenue.\r\nDownload TOR-Browser: https://www.torproject.org/download/\r\nLogin ax3spapdymip4jpy.onion using your ID xxxx\r\nor\r\ncontact our support by email xxx@xxx.com\r\nYou'll receive instructions inside.\r\nYou should get in contact with us within 2 days after you noticed the encryption to have a good discount.\r\nThe decryption key will be stored for 1 month.\r\nThe price will be increased by 100% in two weeks\r\nWe also have gathered your sensitive data.\r\nWe would share it in case you refuse to pay\r\nDo not rename or move encrypted files\r\nDecryption using third party software is impossible.\r\nAttempts to self-decrypting files will result in the loss of your data.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/\r\nPage 6 of 7\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/\r\nhttps://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/"
	],
	"report_names": [
		"new-pwndlocker-ransomware-targeting-us-cities-enterprises"
	],
	"threat_actors": [],
	"ts_created_at": 1775434739,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db959694eeb086a64c86840b0c88e82ad27b52db.pdf",
		"text": "https://archive.orkl.eu/db959694eeb086a64c86840b0c88e82ad27b52db.txt",
		"img": "https://archive.orkl.eu/db959694eeb086a64c86840b0c88e82ad27b52db.jpg"
	}
}