PwndLocker is ransomware first observed in late 2019 that has targeted local government authorities.
The attackers operating PwndLocker steal data before encrypting it and demanding a ransom payment in bitcoin.
When executed, PwndLocker uses the ‘net stop’ command to terminate a range of processes for security software and other applications. PwndLocker then clears Volume Shadow Copies to hinder file recovery. Filenames have the .key or .pwnd extension added when data is encrypted.
Unfortunately, with this release the ransomware operators fixed their encryption flaw that made free decryption possible. Victims will need to recover from backups instead or rebuild their files.