Four organizations have already taken the antidote

Computer laptop with key in red of ring and gears on binary code

Businesses and government bodies hit by the PwndLocker ransomware strain have been given hope of recovering their encrypted files without paying the ransom, following the launch of a free decryptor.

Four organizations have already been helped by the tool, less than a week after its launch on Friday (March 6) by Emsisoft, the antivirus vendor told The Daily Swig.

Because PwndLocker has multiple variants, the tool is tailored to each victim.

“While most of our tools are one-size-fits-all in nature, the PwndLocker decryptor needs to be customized for each organization, so victims need to contact us,” Brett Callow, threat analyst at Emsisoft, told The Daily Swig.

What is the PwndLocker ransomware?

Surfacing in late 2019, the PwndLocker ransomware has been primarily used against businesses and governments, with ransoms varying depending on the victim’s network size, number of employees, and annual revenue, according to MalwareHunterTeam.

Emsisoft said ransoms can exceed $500,000.

The ransomware’s numerous variants, which MalwareHunterTeam said had been created by technically accomplished malware authors, all delete shadow volume copies, making it harder for victims to recover data.

Recent victims include Lasalle County in Illinois and Serbian city Novi Sad (article in Serbian), with the ransom set to 50 bitcoins ($425,000) in both cases.

The PwndLocker decryptor

Emsisoft customizes its PwndLocker decryptor to particular variants by uncovering flaws in the executable’s encryption code.

“While the ransomware automatically deletes the executable, it is often possible to recover it using file recovery tools and it may be found in the %Temp%, C:\User folders or %Appdata% folders,” Emsisoft said.

Decryptors can also be developed using copies of the attackers’ encryption keys.

Victims can identify a ransomware strain by uploading the ransom note or sample encrypted file to MalwareHunterTeam’s ID Ransomware and get free decryptors through the No More Ransom initiative – a collaboration between Kaspersky, McAfee, Europol and the Dutch police.

Given that Emsisoft doesn’t always publicly launch its decryptors – due to the risk of alerting cybercriminals to flaws in their code – Callow recommended the introduction of a formal channel for securely sharing information between law enforcement and security organizations.

“Without such a communication channel – and one does not currently exist – impacted agencies may not discover that a solution is available and could needlessly pay ransoms or unnecessarily incur other costs,” he said.

An Emsisoft report recently estimated the financial damage wrought by ransomware attacks in the US at $7.5 billion.

RECOMMENDED The latest government data breaches in 2019/2020