Remove PWNDLocker Ransomware Virus (2021 Decryption Guide)
PWNDLocker seeks to encrypt data on computers of businesses and local governments
Contents
PWNDLOCKER ransomware is a malicious file-encrypting virus designed to target computer networks. Once installed on the computer, the ransomware attempts to disable a variety of Windows services. Then it encrypts files using RSA-2048 algorithm and appends either .pwnd or .key extensions to their original names. Lastly, it drops a ransom note called How_To_Recovery_Files.txt (H0w_T0_Rec0very_Files.txt), which informs to visit the payment website via Tor browser and pay the specified ransom as soon as possible. The virus demands hefty ransom amounts ranging from $175,000 to $670,000 based on the amount of computers infected. However, due to flaws in the encryption routine, victims can restore their files for free after PWNDLocker removal.
PwndLocker ransomware uses net stop command to disable Windows services and security software before encrypting all personal and work files on the infected network. It disables Microsoft SQL server, MySQL, Acronis, Veeam, Exchange, Backup Exec, Oracle, IIS, Zoolz, also McAfee, Sophos, Malwarebytes and Kaspersky services. Next, the virus attempts to close open programs such as web browsers, document editor programs, backup programs and database servers.
Finally, the virus deletes Volume Shadow Copies to prevent the victim from restoring corrupted files easily. Now that the system is cleared from interfering processes and all means of data recovery are gone, PwndLocker begins encrypting files on victim’s computer, such as PDF or Word documents, databases, images, spreadsheets.
The ransomware exclusion list
The ransomware bypasses the following folders while encrypting the data:
$Recycle.Bin, Windows, System Volume Information, PerfLogs, Common Files, DVD Maker, Internet Explorer, Kaspersky Lab, Kaspersky Lab Setup Files, WindowsPowerShell, Microsoft, Microsoft.NET, Mozilla Firefox, MSBuild, Windows Defender, Windows Mail, Windows Media Player, Windows NT, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsApps, All Users, Uninstall Information, Microsoft, Adobe, Microsoft_Corporation, Packages, Temp
The ransomware keeps web browsers so that the victim could access the Internet and download the suggested Tor browser, which is required to access the ransom payment website.
PwndLocker also excludes the following extensions to keep the computer system intact.
.bac, .bak, .bat, .cmd, .dsk,.exe, .dll, .lnk, .ico, .ini, .msi, .chm, .hlf, .lng, .inf, .ttf, .vhd, .wbc, .bkf, .set, .sys, .win
Ransomware Summary
| Name | PWNDLOCKER virus |
| Type | Ransomware |
| Extensions used | .pwnd or .key |
| Ransom note | H0w_T0_Rec0very_Files.txt |
| Ransom amount | From $175,000 to $670,000 in Bitcoin |
| Distribution | Malicious email spam with attached files or links |
| Decryption | Possible |
| Removal | Remove after extracting the ransomware executable (use instructions below), then boot in Safe Mode and run malware removal software |
The ransom note demands Bitcoins
The ransomware saves H0w_T0_Rec0very_Files.txt note on Desktop and all other affected folders. It contains a message from the virus’ developers. The note suggests that the computer network has been penetrated and encrypted with strong algorithm. Backups were removed or encrypted, therefore no one can help to recover files except the criminals. As suggested by the note, PWNDLOCKER ransom price depends on the network size, number of employees and annual revenue.
The ransom note suggests not to publish the payment website link or contact emails included in the message, otherwise the attackers will delete the decryption keys for the victim. Ransomware developers also inform that the decryption key will be stored for one month, and the ransom price will double after two weeks. If the victim refuses to pay, the attackers suggest publishing collected “sensitive data” about the victim.
The ransom-payment website, called Info page, greets the victim with a “Hello, you are a victim of ransomware” headline. The victim can ask the website “support” to test the decryption on 1 or 2 files.
IMPORTANT. If you have been affected by this malicious software, please locate the ransomware executable using the instructions given below and send it to Emsisoft FIRST. Then you can remove PWNDLOCKER ransomware virus using free instructions provided below this article.
Decrypt PWNDLOCKER files
Thanks to Emsisoft’s Fabian Wosar, a flaw was found in the ransomware’s source code, giving the researcher an opportunity to use it for PWNDLocker decryption creation.
Victims affected by this ransomware can decrypt .pwnd or .key extension files after recovering the executable file used by the virus. To do this, you can use regular data recovery tools such as Shadow Explorer or others. The executable can be recovered from %Temp%, C:/User or %AppData% folders.
Once you recover the executable file, you should get in touch with Emsisoft and send them the executable.
The file-encrypting malware distribution vectors
PWNDLocker ransomware may use several different attack vectors, such as malicious email spam, infected downloads, or compromised RDP. When it comes to targeted attacks against companies, deceptive emails containing malicious attachments or links is the most common attack vector. Therefore, it is believed that this ransomware spreads with the help of it.
To avoid such attacks, be extremely careful and never open any attachments or click on links included in a suspicion-raising emails. In addition, try to keep data backups unplugged from the computer or their network. In case of a ransomware attack, such backups remain unaffected.
Remove PWNDLocker ransomware virus now
One of the easiest ways to remove PWNDLocker ransomware virus is to prepare a safe environment for its removal first, then use a trustworthy antivirus or anti-malware tool. To learn how to boot your PC in Safe Mode, use the guidelines prepared by our experts below.
IMPORTANT. Make sure you extract the ransomware executable and send it to Emsisoft before running an automatic malware removal tool. Otherwise, it might delete this file forever.
Once you complete all the steps, PWNDLocker removal will be done safely.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
PWNDLocker Ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove PWNDLocker Ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Recent Posts
Remove HFGD Ransomware Virus (DECRYPT .hfgd FILES)
HFGD ransomware aims to take your computer files hostage HFGD ransomware is a malicious malware…
Remove RGUY Ransomware Virus (DECRYPT .rguy FILES)
Description of RGUY ransomware which is designed to encrypt files on computers worldwide RGUY ransomware…
Remove MMUZ Ransomware Virus (DECRYPT .mmuz FILES)
MMUZ ransomware arises from the infamous STOP/DJVU data-encrypting malware group MMUZ ransomware is a dangerous…
Remove VLFF Ransomware Virus (DECRYPT .vlff FILES)
VLFF ransomware is a virtual menace to your computer files VLFF ransomware is a newly…
Remove UIGD Ransomware Virus (DECRYPT .uigd FILES)
UIGD ransomware encrypts all files on a computer, asks for a ransom UIGD ransomware is…
Remove EYRV Ransomware Virus (DECRYPT .eyrv FILES)
EYRV ransomware takes your computer files hostage, demands a ransom EYRV ransomware is a destructive…