SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pwndlocker (Back to overview)

PwndLocker

aka: ProLock
VTCollection    

PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.

References
2021-11-03CERT-FRANSSI
Identification of a new cybercriminal group: Lockean
DoppelPaymer Egregor Maze PwndLocker REvil
2021-10-26ANSSI
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-03-01Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-15Medium s2wlabSojun Ryu
Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2020-12-15HornetsecurityHornetsecurity Security Lab
QakBot reducing its on disk artifacts
Egregor PwndLocker QakBot
2020-11-27Fiducia & GAD IT AGFrank Boldewin
When ransomware hits an ATM giant - The Diebold Nixdorf case dissected
PwndLocker QakBot
2020-11-20ZDNetCatalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-12IntrinsecJean Bichet
Egregor – Prolock: Fraternal Twins ?
Egregor PwndLocker QakBot
2020-11-02One Night in NorfolkKevin Perlow
TinyPOS and ProLocker: An Odd Relationship
AbaddonPOS PwndLocker
2020-09-29PWC UKAndy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-10Group-IBOleg Skulkin, Semyon Rogachev
Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting
PwndLocker QakBot
2020-07-27Sophos LabsSean Gallagher
ProLock ransomware gives you the first 8 kilobytes of decryption for free
PwndLocker
2020-06-16HornetsecuritySecurity Lab
QakBot malspam leading to ProLock: Nothing personal just business
PwndLocker QakBot
2020-05-18ZDNetCatalin Cimpanu
FBI: ProLock ransomware gains access to victim networks via Qakbot infections
PwndLocker
2020-05-14Group-IBOleg Skulkin
ATT&CKing ProLock Ransomware
PwndLocker
2020-05-11soolidsnake
ProLock malware analysis
PwndLocker
2020-03-23Cert-PaCert-PA
PwndLocker si rinnova in ProLock Ransomware
PwndLocker
2020-03-05Bleeping ComputerLawrence Abrams
PwndLocker Ransomware Gets Pwned: Decryption Now Available
PwndLocker
2020-03-02Bleeping ComputerLawrence Abrams
New PwndLocker Ransomware Targeting U.S. Cities, Enterprises
PwndLocker
2020-03-02IT Klinikaunknown
Pažnja: Novi opasni ransomware pwndLocker i u Srbiji!
PwndLocker
2019-10-23ID RansomwareAndrew Ivanov
PwndLocker Ransomware
PwndLocker
Yara Rules
[TLP:WHITE] win_pwndlocker_auto (20241030 | Detects win.pwndlocker.)
rule win_pwndlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.pwndlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 75e0 5a 8b7224 01de 31c0 668b044e 8b721c }
            // n = 7, score = 300
            //   75e0                 | jne                 0xffffffe2
            //   5a                   | pop                 edx
            //   8b7224               | mov                 esi, dword ptr [edx + 0x24]
            //   01de                 | add                 esi, ebx
            //   31c0                 | xor                 eax, eax
            //   668b044e             | mov                 ax, word ptr [esi + ecx*2]
            //   8b721c               | mov                 esi, dword ptr [edx + 0x1c]

        $sequence_1 = { 8b4e18 8b5620 01da 56 e334 49 8d348a }
            // n = 7, score = 300
            //   8b4e18               | mov                 ecx, dword ptr [esi + 0x18]
            //   8b5620               | mov                 edx, dword ptr [esi + 0x20]
            //   01da                 | add                 edx, ebx
            //   56                   | push                esi
            //   e334                 | jecxz               0x36
            //   49                   | dec                 ecx
            //   8d348a               | lea                 esi, [edx + ecx*4]

        $sequence_2 = { e334 49 8d348a 8b36 }
            // n = 4, score = 300
            //   e334                 | jecxz               0x36
            //   49                   | dec                 ecx
            //   8d348a               | lea                 esi, [edx + ecx*4]
            //   8b36                 | mov                 esi, dword ptr [esi]

        $sequence_3 = { ebf4 3b7df0 75e0 5a 8b7224 }
            // n = 5, score = 300
            //   ebf4                 | jmp                 0xfffffff6
            //   3b7df0               | cmp                 edi, dword ptr [ebp - 0x10]
            //   75e0                 | jne                 0xffffffe2
            //   5a                   | pop                 edx
            //   8b7224               | mov                 esi, dword ptr [edx + 0x24]

        $sequence_4 = { 8d348a 8b36 01de 31ff 31c0 fc }
            // n = 6, score = 300
            //   8d348a               | lea                 esi, [edx + ecx*4]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   01de                 | add                 esi, ebx
            //   31ff                 | xor                 edi, edi
            //   31c0                 | xor                 eax, eax
            //   fc                   | cld                 

        $sequence_5 = { c1cf0d 01c7 ebf4 3b7df0 75e0 5a }
            // n = 6, score = 300
            //   c1cf0d               | ror                 edi, 0xd
            //   01c7                 | add                 edi, eax
            //   ebf4                 | jmp                 0xfffffff6
            //   3b7df0               | cmp                 edi, dword ptr [ebp - 0x10]
            //   75e0                 | jne                 0xffffffe2
            //   5a                   | pop                 edx

        $sequence_6 = { 7407 c1cf0d 01c7 ebf4 3b7df0 75e0 }
            // n = 6, score = 300
            //   7407                 | je                  9
            //   c1cf0d               | ror                 edi, 0xd
            //   01c7                 | add                 edi, eax
            //   ebf4                 | jmp                 0xfffffff6
            //   3b7df0               | cmp                 edi, dword ptr [ebp - 0x10]
            //   75e0                 | jne                 0xffffffe2

        $sequence_7 = { fc ac 84c0 7407 c1cf0d 01c7 ebf4 }
            // n = 7, score = 300
            //   fc                   | cld                 
            //   ac                   | lodsb               al, byte ptr [esi]
            //   84c0                 | test                al, al
            //   7407                 | je                  9
            //   c1cf0d               | ror                 edi, 0xd
            //   01c7                 | add                 edi, eax
            //   ebf4                 | jmp                 0xfffffff6

        $sequence_8 = { fc ac 84c0 7407 c1cf0d 01c7 }
            // n = 6, score = 300
            //   fc                   | cld                 
            //   ac                   | lodsb               al, byte ptr [esi]
            //   84c0                 | test                al, al
            //   7407                 | je                  9
            //   c1cf0d               | ror                 edi, 0xd
            //   01c7                 | add                 edi, eax

        $sequence_9 = { 8b7224 01de 31c0 668b044e }
            // n = 4, score = 300
            //   8b7224               | mov                 esi, dword ptr [edx + 0x24]
            //   01de                 | add                 esi, ebx
            //   31c0                 | xor                 eax, eax
            //   668b044e             | mov                 ax, word ptr [esi + ecx*2]

    condition:
        7 of them and filesize < 65536
}
[TLP:WHITE] win_pwndlocker_w0   (20200518 | Detects Prolock malware in encrypted and decrypted mode)
rule win_pwndlocker_w0 {
	meta:
		author = "Frank Boldewin (@r3c0nst)"
		description = "Detects Prolock malware in encrypted and decrypted mode"
		reference = "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Prolock.Malware.yar"
		date = "2020-05-17"
		hash = "a6ded68af5a6e5cc8c1adee029347ec72da3b10a439d98f79f4b15801abd7af0"
		hash = "dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker"
        malpedia_version = "20200518"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		
	strings:
		$DecryptionRoutine = {01 C2 31 DB B8 ?? ?? ?? ?? 31 04 1A 81 3C 1A}
		$DecryptedString1 = "support981723721@protonmail.com" nocase ascii
		$DecryptedString2 = "Your files have been encrypted by ProLock Ransomware" nocase ascii
		$DecryptedString3 = "msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion" nocase ascii
		$CryptoCode = {B8 63 51 E1 B7 31 D2 8D BE ?? ?? ?? ?? B9 63 51 E1 B7 81 C1 B9 79 37 9E}
		
	condition:
		((uint16(0) == 0x5A4D) or (uint16(0) == 0x4D42)) and filesize < 100KB and (($DecryptionRoutine) or (1 of ($DecryptedString*) and $CryptoCode))
}
Download all Yara Rules