PwndLocker Ransomware

PwndLocker is ransomware first observed in late 2019 that has targeted local government authorities.

The attackers operating PwndLocker steal data before encrypting it and demanding a ransom payment in bitcoin.

When executed, PwndLocker uses the ‘net stop’ command to terminate a range of processes for security software and other applications. PwndLocker then clears Volume Shadow Copies to hinder file recovery. Filenames have the .key or .pwnd extension added when data is encrypted.

Unfortunately, with this release the ransomware operators fixed their encryption flaw that made free decryption possible. Victims will need to recover from backups instead or rebuild their files.

PwndLocker Ransom Note (image via

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: