🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!
Schedule a Demo2021 saw an outbreak of ransomware groups and attacks that affected every major industry across the globe. This trend is expected to continue and even surpass the previous year’s numbers by a significant margin in 2022.
In March 2022, researchers detected a new ransomware strain known as Pandora which leverages double extortion tactics to exfiltrate and encrypt large quantities of personal data. The operators offer the decryption key once the victim pays the ransom demanded. Pandora ransomware is a relatively new operation and hence its infection techniques are unknown.
However, after infiltrating the target system, the ransomware appends the “.pandora” file extension to the encrypted files and leaves a ransom note “Restore_My_Files.txt” with instructions on how to recover the data. Researchers believe that the Pandora ransomware is a rebranded version of Rook ransomware, which in turn is a spawn of the leaked Babuk code. This article explores the technical analysis of the Pandora ransomware, its evasion tactics, the process of encryption, and more in detail.
The analysis of Pandora’s binary file sample, 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b
, indicates that it is a UPX (Ultimate Packer for eXecutables) packed binary file. UPX is an executable file compressor used by threat actors to add a layer of obfuscation (creation of code that is difficult for humans to understand) to their malware. The ransomware code runs from the original entry point after getting unpacked in the memory.
The ransomware uses obfuscated strings and deobfuscates library names and internal functions at runtime. The library modules used by Pandora are dynamically loaded on a per-use basis via the following APIs:
Initially, the ransomware creates a mutex (mutual exclusion object, which enables multiple program threads to take turns sharing the same resource) to make sure only one instance of the malware is running on the system. The mutex string, “ThisIsMutexa”, gets deobfuscated in the memory. It checks for any existing mutex on the system via OpenMutexA, if not present the malware creates a new one with the value “ThisIsMutexa” via CreateMutexA.
The malware implements anti-debug checks to hinder analysis.
The security endpoints (especially ETWTi) of a device use the instrumentation callback process to check for behavioral anomalies and detect novel malware on the system. Pandora ransomware bypasses such a callback mechanism via ntsetinformationprocess
, which changes the process information.
ProcessInstrumentationCallback
as a part of ProcessInformationClass.
If the process created for the malware is hooked by security services via callback member, invoking the ntsetinformationprocess in a way mentioned above with callback set to 0, it helps the malware bypass such hooks.
Event Tracing for Windows (ETW) is a powerful tracing facility built into the operating system, to monitor various activities of both userland and kernel land applications running on the system. This feature has become a vital instrument to endpoint security solutions to detect anomalous behavior in running programs. As a result, malware developers have started integrating functionalities in their malware to neutralize the tracing capability. One such vector is patching ETW related functions defined in ntdll.dll in the memory.
EtwEventWrite
”.
Before the encryption begins, the malicious software changes the shutdown parameters for the system via SetProcessShutdownParameters API. This function sets a shutdown order for the calling process relative to the other processes in the system. Here, the malware invokes the API with zero value so that the ransomware program is the last to shut down by the Operating System.
After setting these shutdown parameters, the malware empties the recycle bin via SHEmptyRecyclebinA API.
The ransomware raises the priority of the running process to the highest possible priority which is REALTIME_PRIORITY_CLASS via SetPriorityClass API. The second argument is the “dwPriorityClass” parameter which has a value of 0x100.
Finally, the volume shadow copies are deleted by executing a string of commands via ShellExecuteA. It uses vssadmin to perform the task of deleting the shadow files.
The main thread of malware creates two new threads that are responsible for the encryption of user data.
The following APIs are used to create the threads:
The threads are created with dwCreationFlags set to CREATE_SUSPENDED, later the execution of threads is resumed via ResumeThread.
The main thread starts to enumerate the drives present on the system via the following APIs:
Pandora utilizes Windows I/O Completion Ports to efficiently speed up the encryption process. Following APIs are used to orchestrate the search and locking of the user data:
Initially, the main thread of the malware creates an input/ output (I/O) completion port via CreateIoCompletionPort API.
In general, ransomware in the wild has adopted a model to optimize the encryption process. The goal here is to efficiently utilize the power of multicore processors to concurrently perform file enumeration and encryption. A group of worker threads would fetch the file paths and post them in the queue via PostQueuedCompletionStatus, and another thread can retrieve the posted files (paths) for encryption via GetQueuedCompletionStatus.
Pandora uses the RSA 4096 algorithm for encryption, the public key is embedded within the malware.
As a prior step to the encryption process, the malware accesses directories in the network drives and dumps the ransom note (Restore_My_Files.txt). The ransom note is created using the following three APIs:
The process explained in this section is executed by worker threads highlighted in the image below. These threads can concurrently enumerate and encrypt data via the Windows I/O completion port.
FindFirstFileW
to open a handle to the files on the disk.AppData | Opera Software |
---|---|
Boot | Mozilla |
Windows.old | Mozilla Firefox |
Tor Browser | ProgramData |
Internet Explorer | Program Files |
Program Files (x86) | |
Opera | #recycle |
Autorun.inf | bootmgfw.efi |
---|---|
boot.ini | desktop.ini |
bootfont.bin | iconcache.db |
bootsect.bak | ntldr |
bootmgr | Ntuser.dat |
bootmgr.efi | Restore_My_Files.txt |
.hta | .cur |
---|---|
.exe | .drv |
.dll | .hlp |
.cpl | .icl |
.ini | .icns |
.cab | .ico |
.idx | .sys |
.spl | .ocx |
.pandora |
Pandora ransomware writes two values, Private and Public, under the HKCU/ Software registry key. The public value has the public key used by the ransomware to encrypt the user files, while the private value has the protected private key stored for decryption. The decryptor tool that the victim receives after paying the ransom uses this information stored in the registry to decrypt the locked files.
Binary | |
---|---|
5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b | |
Registry | |
HKCU\Software\Private | |
HKCU\Software\Public | |
Dropped Files | |
Restore_My_Files.txt |
Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.
On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.
Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group
2021 saw an outbreak of ransomware groups and attacks that affected every major industry across the globe. This trend is expected to continue and even surpass the previous year’s numbers by a significant margin in 2022.
In March 2022, researchers detected a new ransomware strain known as Pandora which leverages double extortion tactics to exfiltrate and encrypt large quantities of personal data. The operators offer the decryption key once the victim pays the ransom demanded. Pandora ransomware is a relatively new operation and hence its infection techniques are unknown.
However, after infiltrating the target system, the ransomware appends the “.pandora” file extension to the encrypted files and leaves a ransom note “Restore_My_Files.txt” with instructions on how to recover the data. Researchers believe that the Pandora ransomware is a rebranded version of Rook ransomware, which in turn is a spawn of the leaked Babuk code. This article explores the technical analysis of the Pandora ransomware, its evasion tactics, the process of encryption, and more in detail.
The analysis of Pandora’s binary file sample, 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b
, indicates that it is a UPX (Ultimate Packer for eXecutables) packed binary file. UPX is an executable file compressor used by threat actors to add a layer of obfuscation (creation of code that is difficult for humans to understand) to their malware. The ransomware code runs from the original entry point after getting unpacked in the memory.
The ransomware uses obfuscated strings and deobfuscates library names and internal functions at runtime. The library modules used by Pandora are dynamically loaded on a per-use basis via the following APIs:
Initially, the ransomware creates a mutex (mutual exclusion object, which enables multiple program threads to take turns sharing the same resource) to make sure only one instance of the malware is running on the system. The mutex string, “ThisIsMutexa”, gets deobfuscated in the memory. It checks for any existing mutex on the system via OpenMutexA, if not present the malware creates a new one with the value “ThisIsMutexa” via CreateMutexA.
The malware implements anti-debug checks to hinder analysis.
The security endpoints (especially ETWTi) of a device use the instrumentation callback process to check for behavioral anomalies and detect novel malware on the system. Pandora ransomware bypasses such a callback mechanism via ntsetinformationprocess
, which changes the process information.
ProcessInstrumentationCallback
as a part of ProcessInformationClass.
If the process created for the malware is hooked by security services via callback member, invoking the ntsetinformationprocess in a way mentioned above with callback set to 0, it helps the malware bypass such hooks.
Event Tracing for Windows (ETW) is a powerful tracing facility built into the operating system, to monitor various activities of both userland and kernel land applications running on the system. This feature has become a vital instrument to endpoint security solutions to detect anomalous behavior in running programs. As a result, malware developers have started integrating functionalities in their malware to neutralize the tracing capability. One such vector is patching ETW related functions defined in ntdll.dll in the memory.
EtwEventWrite
”.
Before the encryption begins, the malicious software changes the shutdown parameters for the system via SetProcessShutdownParameters API. This function sets a shutdown order for the calling process relative to the other processes in the system. Here, the malware invokes the API with zero value so that the ransomware program is the last to shut down by the Operating System.
After setting these shutdown parameters, the malware empties the recycle bin via SHEmptyRecyclebinA API.
The ransomware raises the priority of the running process to the highest possible priority which is REALTIME_PRIORITY_CLASS via SetPriorityClass API. The second argument is the “dwPriorityClass” parameter which has a value of 0x100.
Finally, the volume shadow copies are deleted by executing a string of commands via ShellExecuteA. It uses vssadmin to perform the task of deleting the shadow files.
The main thread of malware creates two new threads that are responsible for the encryption of user data.
The following APIs are used to create the threads:
The threads are created with dwCreationFlags set to CREATE_SUSPENDED, later the execution of threads is resumed via ResumeThread.
The main thread starts to enumerate the drives present on the system via the following APIs:
Pandora utilizes Windows I/O Completion Ports to efficiently speed up the encryption process. Following APIs are used to orchestrate the search and locking of the user data:
Initially, the main thread of the malware creates an input/ output (I/O) completion port via CreateIoCompletionPort API.
In general, ransomware in the wild has adopted a model to optimize the encryption process. The goal here is to efficiently utilize the power of multicore processors to concurrently perform file enumeration and encryption. A group of worker threads would fetch the file paths and post them in the queue via PostQueuedCompletionStatus, and another thread can retrieve the posted files (paths) for encryption via GetQueuedCompletionStatus.
Pandora uses the RSA 4096 algorithm for encryption, the public key is embedded within the malware.
As a prior step to the encryption process, the malware accesses directories in the network drives and dumps the ransom note (Restore_My_Files.txt). The ransom note is created using the following three APIs:
The process explained in this section is executed by worker threads highlighted in the image below. These threads can concurrently enumerate and encrypt data via the Windows I/O completion port.
FindFirstFileW
to open a handle to the files on the disk.AppData | Opera Software |
---|---|
Boot | Mozilla |
Windows.old | Mozilla Firefox |
Tor Browser | ProgramData |
Internet Explorer | Program Files |
Program Files (x86) | |
Opera | #recycle |
Autorun.inf | bootmgfw.efi |
---|---|
boot.ini | desktop.ini |
bootfont.bin | iconcache.db |
bootsect.bak | ntldr |
bootmgr | Ntuser.dat |
bootmgr.efi | Restore_My_Files.txt |
.hta | .cur |
---|---|
.exe | .drv |
.dll | .hlp |
.cpl | .icl |
.ini | .icns |
.cab | .ico |
.idx | .sys |
.spl | .ocx |
.pandora |
Pandora ransomware writes two values, Private and Public, under the HKCU/ Software registry key. The public value has the public key used by the ransomware to encrypt the user files, while the private value has the protected private key stored for decryption. The decryptor tool that the victim receives after paying the ransom uses this information stored in the registry to decrypt the locked files.
Binary | |
---|---|
5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b | |
Registry | |
HKCU\Software\Private | |
HKCU\Software\Public | |
Dropped Files | |
Restore_My_Files.txt |