Cyber Threat Actor: DeadBolt
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
0 incidents |
|---|
Profile
DeadBolt, operating under the ransomware alias PwndLocker, emerged in late 2019 with financially motivated attacks against municipal governments and enterprises. The group explicitly targeted U.S. entities like La Salle County, Illinois, and expanded to international victims including Novi Sad, Serbia, demonstrating opportunistic geographic reach. Their operations centered on extorting substantial payments—demanding 50 Bitcoin ($442,000) from La Salle County—while threatening to leak stolen data to pressure victims. Forensic evidence confirmed dual objectives: file encryption for operational disruption and data exfiltration for coercive leverage. County officials publicly refused payment, citing unreliable decryption experiences from prior ransomware incidents, opting instead for backup restoration.
PwndLocker ransomware employed aggressive disruption techniques, terminating processes for security tools (Kaspersky, Sophos), backup software (Veeam, Acronis), and productivity applications before encrypting files. It systematically disabled recovery mechanisms by deleting Volume Shadow Copies and targeting database services (SQL Server, MySQL). The malware avoided encrypting system-critical folders and extensions to maintain payload execution. Victims received ransom notes ("H0w_T0_Rec0very_Files.txt") directing communication via Tor onion services or email, offering limited free decryption trials. DeadBolt exploited the novelty of their ransomware variant, which bypassed existing defenses during the 2020 La Salle County attack. Campaigns featured tailored ransom demands based on victim network size and revenue, with threats to double fees after two weeks.
