![]() ![]() More on this later.ġ2) Check File Extension Blacklist: Each file is checked against a file extension blacklist. If the file/folder is on the blacklist it will not be encrypted. More on this later.ĩ) Enumerate Filesystem: The worker threads start to enumerate the filesystems of the identified drives (T1083).ġ0) Drop Ransom Note : The ransom note is dropped in every folder in Restore_My_Files.txt.ġ1) Check File Name Blacklist: For every file and folder a blacklist of file/folder names is checked. This is used to set up the cryptography for encryption.Ħ) Store Private and Public Keys in Registry: A private key is generated, and both the hardcoded public key and the newly generated private key are stored in the registry (T1112).ħ) Search Drives: It searches for unmounted drives on the system and mounts them to encrypt them as well (T1005).Ĩ) Setup Multi-Threading: The sample uses worker threads to distribute the encryption process. More on these features later.Ĥ) Collects system information: GetSystemInfo()is used to collect information about the local system.ĥ) Loads Hardcoded Public Key: A public key is hardcoded in the malware sample. This will be discussed later.Ģ) Mutex : It creates a mutex called ThisIsMutexa.ģ) Disable Security Features: It can delete Windows shadow copies (T1490), bypass AMSI (T1562.001), and disable Event Logging (T1562.002). Note that “T” followed by numbers within brackets refers to MITRE ATT&CK technique ID, which are summarized at the end of the post.ġ) Unpacking: The sample is packed with a modified UPX packer (T1027.002), so the first step is to unpack the real content to memory and jump to it. The sample goes through the following steps: ![]() In the following sections these interesting aspects of the malware will be discussed. ![]() However, it does this in an interesting and complex manner. Its sole purpose is to find and encrypt files. This sample does not have the capability to communicate with the threat actors. It is the ransomware itself, so by the time this file is executed during an attack, the attackers probably already had extensive access to the victim’s network, and they had already exfiltrated the data they will use for the extortion. There are currently three victims listed on the leak site (see Figure 1), a U.S.-based real estate agency, a Japanese technology company, and a U.S. The Pandora Group has a leak site in the Dark Web (TOR network), where they publicly announce their victims and threaten them with the data leak. This means that they not only encrypt the victim’s files, but also exfiltrate them and threaten to release the data if the victim does not pay. The threat group uses the double extortion method to increase pressure on the victim. The incident came as surprise as the attack came two weeks after another automotive supplier was reportedly hit with unknown ransomware, which resulted in one of the world’s biggest car manufacturers suspending factory operations. The group got recent publicity after they announced that they acquired data from an international supplier in the automotive industry. The Pandora ransomware group emerged into the already crowded ransomware field as early as in mid-February 2022 and targets corporate networks for financial gain. Impact: Most files on the compromised machines are encrypted ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |