Cyber Threat Actor: PwndLocker
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
3 incidents |
|---|
Profile
PwndLocker, also known as ProLock, is a ransomware operation that has been linked to actors based in Russia. The group first appeared under the PwndLocker name and later rebranded to ProLock after a decryption tool released by Emsisoft threatened to undermine their extortion model. Their activity has been observed in a series of ransomware attacks targeting large corporations, municipal governments and county governments in the United States and Europe.
In February 2020 the group struck La Salle County in Illinois, deploying a newly identified variant that bypassed existing defenses, disabled Windows services, terminated security‑related processes and deleted Shadow Volume Copies to impede recovery. Files were encrypted with extensions such as .key or .pwnd, while certain system directories and file types were deliberately excluded. Although the attack blocked access to systems, investigators found no evidence that data had been exfiltrated; the county restored operations using off‑site backups after refusing to pay the ransom.
A month later, in March 2020, the same ransomware was used against the City of Novi Sad in Serbia. The attackers encrypted the city’s network, exfiltrated sensitive data and threatened to publish it unless a Bitcoin payment was made through a Tor‑based portal. The ransom note warned against third‑party decryption attempts and asserted that only the attackers possessed the working keys. The infection also disabled backup solutions and database services, causing significant operational disruption.
In April 2020 the group rebranded their payload as ProLock and attacked Diebold Nixdorf, a major ATM and payment technology provider. The intrusion occurred on a weekend evening, a timing choice the attackers have repeatedly favored to exploit reduced staffing levels. ProLock encrypted the corporate network, disrupted a field‑service‑technician automation system and impacted services for over 100 customers, though the attackers did not compromise ATMs, customer networks or public‑facing services. A six‑figure ransom demand in Bitcoin was issued, which the victim refused to pay. Researchers noted that the ProLock decryption tool supplied to paying victims could corrupt large files unless a separate fix—available only to those who had paid—was applied. The attackers hinted at possessing stolen data and suggested they might move toward publishing victim information, a tactic seen in other ransomware groups, though no public leak had been confirmed at the time of the Diebold incident.
Overall, the operation exhibits a pattern of weekend‑timed intrusions, service disruption, shadow‑copy deletion, selective file exclusion, use of distinctive extensions, ransom notes demanding Bitcoin via Tor, threats of data leakage and a decryption tool that requires payment to function correctly. The group’s known operational base is Russia, and their activity has spanned multiple sectors and geographies since early 2020.
