Cyble Research Labs has published an analysis regarding a new ransomware threat that has compromised several companies. This strain of ransomware has been reported to have compromised four high profile companies so far including Japanese automotive manufacturer Denso. The group behind this ransomware announced its first victim on February 21st, 2022.
When the malware is executed, the payload is compiled using Visual C++. The payload file has encrypted strings and several jumps and calls that can make debugging difficult. The ransomware then searches and encrypts important documents and system files using FindFirstFileW() and FindNextFileW () APIs. Finally, a ransom note is displayed to the user requesting cryptocurrency in exchange for the decryption of their files.
Researchers have found many similarities between Pandora Ransomware and a previously reported threat: ROOK Ransomware. In Dec 2021, ROOK ransomware posted on their leak site claiming to have attacked one of the world’s largest automotive suppliers of technology and components. Following this, their leak site went down around the end of Jan 2022. Pandora ransomware in March 2022 posted the same victim on their leak site. Due to this incident and the similarities in how they operate, it’s suspected that Pandora might be a re-brand of ROOK ransomware.
Pandora ransomware gang is suspected of leveraging the double extortion method where the threat exfiltrates the victim’s data before data encryption. They then threaten to leak the exfiltrated data on their leak site or on cybercrime forums if the victim doesn’t pay an additional ransom.
Indicators of Compromise: • 0c4a84b66832a08dccc42b478d9d5e1b • 160320b920a5ef22ac17b48146152ffbef60461f • 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.