Wednesday, March 27

Analysis: Looking Inside Pandora’s Box



In Greek mythology, the opening of the infamous Pandora’s box introduced terrible things to the world. That can also be said about today’s ransomware. The newly emerged Pandora ransomware, which took its name, is no exception. It steals data from the network, encrypts the victim’s files, and releases the stolen data if the victim chooses not to pay. The Greek myth says that hope was left in the box. Is that true for Pandora ransomware, an emerging malware that showcases all the techniques used by modern ransomware? In this article, analysts from Fortinet’s threat intelligence lab, FortiGuard Labs, are taking a peek inside Pandora’s box to discover what mysteries it holds.

the pandora group

The Pandora ransomware group emerged from the already crowded ransomware field in mid-February 2022 and targets corporate networks for financial gain. The group received recent publicity after they announced that they acquired data from an international supplier in the automotive industry. The incident came as a surprise as the attack came two weeks after another automotive supplier was hit with unknown ransomware, resulting in one of the world’s largest automakers suspending factory operations. The threat group uses the double extortion method to increase the pressure on the victim. This means that they not only encrypt the victim’s files, but also exfiltrate them and threaten to release the data if the victim does not pay.

The Pandora group has a leak site on the Dark Web (TOR network), where they publicly advertise their victims and threaten them with data leakage. There are currently three victims listed on the leak site (see Figure 1), a US-based real estate agency, a Japanese technology company, and a US law firm.

Also Read  GM trolls Tesla, changes approach with new 'supertruck'

Malware execution flow

FortiGuard Labs analyzed a Pandora malware sample, which was included in a 64-bit Windows PE file. The example follows these steps:

one) Unpacked: The malware is packaged, so the first step is to unpack the actual content into the device’s memory.

two) Mutex: Create a mutex to make it possible for a multi-program thread to make use of this single resource.

3) Disable security features: You can delete shadow copies of Windows.

4) Collect system information: it is used to collect information about the local system.

5) Upload the encrypted public key: A public key is encoded in the malware to configure the crypto for encryption.

6) Store private and public keys in the registry: A private key is generated and both the encrypted public key and the newly generated private key are stored in the registry.

7) Unit Search– Searches for unmounted drives on the system and mounts them to encrypt them as well.

8) Multi-Threaded Configuration: The malware uses worker threads to distribute the encryption process.

9) List the file system: Worker threads begin enumerating the file systems of the identified drives.

10) Drop the ransom note: Ransom note is dropped in every folder.

eleven) Check the blacklist of filenames: For each file and folder a blacklist of file/folder names is checked. If the file/folder is blacklisted it will not be encrypted.

12) Check the blacklist of file extensions: each file is checked against a blacklist of file extensions. If the extension is listed, it will not be encrypted.

13) unlock file: If the file is locked by a running process, the malware will try to unlock it using the Windows Reset Manager.

Also Read  Biden pardons 3, commutes sentences of 75, in first clemency actions

14) encrypt file: worker threads will encrypt the file and write it back to the original file.

fifteen) Rename the file: After encryption is complete, the files are renamed to [original-nombre].Pandora

One of the most significant aspects of Pandora ransomware is the extensive use of reverse engineering techniques to bypass security controls. This is not new for malware, but Pandora is on the extreme side of what is spent on slowing down the scan.

This Pandora ransomware sample was detected and analyzed by the AV signature: W64/Filecoder.EGYTYFD!tr.ransom

conclusion

Pandora ransomware contains all the main features that are usually found in next-generation ransomware samples. The level of obfuscation to slow down the analysis is more advanced than that of the average malware. This group of cyber attackers also paid attention to unlocking files to ensure maximum encryption coverage, while still allowing the device to function.

There is currently no evidence that Pandora operates as Ransomware-as-a-Service (RaaS), but time investment in malware complexity could indicate that they are moving in that direction in the long term. The current attacks and leaks could be a way to make a name for themselves in the ransomware field, which they could capitalize on if they adopt the RaaS model later on. It is worth tracking the threat actor to monitor how their malware changes, and we will. We must be vigilant and better prepared with advanced detection, prevention, and response technology as Pandora will hopefully continue to develop its capabilities.







diarioti.com

Leave a Reply

Your email address will not be published. Required fields are marked *