Rewterz Threat Alert – Pandora Ransomware – Active IOCs

Severity

High

Analysis Summary

The Pandora ransomware has infected the Japan-based DENSO Corporation, one of the world’s leading automotive parts manufacturers. DENSO stated that their corporate network in Germany was breached, and they acted fast to prevent the intruder from damaging additional systems. The corporation claims that operations were unaffected; however, Pandora has begun disclosing some of the 1.4 TB of files it claims to have stolen.

Pandora ransomware made headlines in March 2022 after targeting a number of high-profile victims on its leak site. This group encrypts system-stored data with RSA-2048 algorithms and demands a ransom to decrypt it. To demonstrate that file access has been restricted, cybercriminals assign the .pandora extension to affected samples. For example, a file entitled 1.pdf will be renamed 1.pdf.pandora and reset its original icon. A ransom note is provided in the file named “Restore_My_Files.txt” file.

The ransomware note reads:

### What happened?

#### !!!Your files are encrypted!!!

*All your files are protected by strong encryption with RSA-2048.*

*There is no public decryption software.*

*We have successfully stolen your confidential document data, finances, emails, employee information, customers, research and development products…*

#### What is the price?

*The price depends on how fast you can write to us.*

*After payment, we will send you the decryption tool which will decrypt all your files.*

#### What should I do?

*There is only one way to get your files back –>>Contact us, pay and get decryption software.*

*If you decline payment, we will share your data files with the world.*

*You can browse your data breach here:

************

(you should download and install TOR browser first hxxps://torproject.org)

#### !!!Decryption Guaranteed!!!

*Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.*

#### !!!Contact us!!!

email:

contact@pandoraxyz.xyz

#### !!!Warning!!!

*Do not attempt to decrypt your data using third-party software, this may result in permanent data loss.*

*Decrypting your files with the help of a third party may result in a price increase (they charge us a fee), or you may fall victim to a scam.*

*Don’t try to delete programs or run antivirus tools. It won’t work.*

*Attempting to self-decrypt the file will result in the loss of your data.*

Impact

• Unauthorized Access
• Data Exfiltration
• File Encryption

Indicators of Compromise

Filename

• 1vfrk1jrt[.]dll
• 7NM2J[.]txt

MD5

• bec9b3480934ce3d30c25e1272f60d02
• afdf739eb186e2ec8088b008797d1f6d
• 0c4a84b66832a08dccc42b478d9d5e1b
• 511501033ca23754113686ac70f629db

SHA-256

• f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789
• ebfdee6e5fe2aa5699280248a5e7b714ca18e5bfd284cac0ba4fb88ccbcec5b6
• 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b
• 2c940a35025dd3847f7c954a282f65e9c2312d2ada28686f9d1dc73d1c500224

SHA-1

• 104d9e31e34ba8517f701552594f1fc167550964
• f611c2976ebb080214eddd905d30628230f2280d
• 160320b920a5ef22ac17b48146152ffbef60461f
• 26a02a149aca6a8a43e2dca5c75a6360cfe54c50

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.