Cyber Incident Victim: City of Novi Sad
Date:
Mar 2020
Location:
Serbia
Summary
The City of Novi Sad suffered a ransomware attack by the PwndLocker group, which encrypted its network and exfiltrated sensitive data. Attackers demanded payment in Bitcoin via a Tor-based portal, threatening to release stolen information if unpaid. The ransomware disabled critical Windows services, terminated processes related to security software and backups, and deleted Shadow Volume Copies to hinder recovery. Files were encrypted with extensions like .key or .pwnd, while specific system directories and file types were excluded from encryption. Ransom notes instructed victims to contact attackers through designated channels, warning against third-party decryption attempts and emphasizing exclusive access to decryption keys. Operational disruptions included disabled backup solutions and database services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The City of Novi Sad in Serbia experienced a ransomware attack on March 3, 2020, attributed to the PwndLocker ransomware operation. This incident occurred amid a broader campaign targeting U.S. cities and enterprises, with Lasalle County, Illinois, confirmed as another victim. PwndLocker operators demanded ransoms exceeding $650,000 in bitcoin, with Lasalle County facing a 50 BTC ($442,000) demand. Attackers claimed to have exfiltrated data prior to encryption in the Lasalle County case, sharing folder lists and images as evidence, though no equivalent confirmation exists for Novi Sad. The ransomware disabled critical Windows services—including Veeam, SQL Server, Exchange, and security software like Kaspersky and Sophos—using 'net stop' commands to facilitate encryption. It terminated processes tied to productivity software (Firefox, Microsoft Office) and backup solutions while executing commands to delete Shadow Volume Copies, hindering file recovery efforts.
PwndLocker encrypted files while excluding system-critical extensions (.exe, .dll) and directories (Windows, System Volume Information). Encrypted files bore .key or .pwnd extensions, with ransom notes (H0w_T0_Rec0very_Files.txt) distributed across systems directing victims to a Tor payment site (ax3spapdymip4jpy.onion) or email support. The ransom portal allowed two free file decryptions and featured escalating demands, threatening a 100% price increase after two weeks and permanent key deletion after one month. Attackers leveraged double extortion by threatening to leak stolen data if ransoms were unpaid, though Novi Sad’s data compromise status remains unconfirmed. No weaknesses in PwndLocker’s encryption were publicly known at the time. Lasalle County publicly refused payment, but Novi Sad’s response and operational impacts were not disclosed in available sources.