Rewterz Threat Alert – Pandora Ransomware – Active IOCs

Severity

High

Analysis Summary

The Pandora ransomware has infected the Japan-based DENSO Corporation, one of the world’s leading automotive parts manufacturers. DENSO stated that their corporate network in Germany was breached, and they acted fast to prevent the intruder from damaging additional systems. The corporation claims that operations were unaffected; however, Pandora has begun disclosing some of the 1.4 TB of files it claims to have stolen.

Pandora ransomware made headlines in March 2022 after targeting a number of high-profile victims on its leak site. This group encrypts system-stored data with RSA-2048 algorithms and demands a ransom to decrypt it. To demonstrate that file access has been restricted, cybercriminals assign the .pandora extension to affected samples. For example, a file entitled 1.pdf will be renamed 1.pdf.pandora and reset its original icon. A ransom note is provided in the file named “Restore_My_Files.txt” file.

The ransomware note reads:

### What happened?

#### !!!Your files are encrypted!!!

*All your files are protected by strong encryption with RSA-2048.*

*There is no public decryption software.*

*We have successfully stolen your confidential document data, finances, emails, employee information, customers, research and development products…*

#### What is the price?

*The price depends on how fast you can write to us.*

*After payment, we will send you the decryption tool which will decrypt all your files.*

#### What should I do?

*There is only one way to get your files back –>>Contact us, pay and get decryption software.*

*If you decline payment, we will share your data files with the world.*

*You can browse your data breach here:

************

(you should download and install TOR browser first hxxps://torproject.org)

#### !!!Decryption Guaranteed!!!

*Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.*

#### !!!Contact us!!!

email:

contact@pandoraxyz.xyz

#### !!!Warning!!!

*Do not attempt to decrypt your data using third-party software, this may result in permanent data loss.*

*Decrypting your files with the help of a third party may result in a price increase (they charge us a fee), or you may fall victim to a scam.*

*Don’t try to delete programs or run antivirus tools. It won’t work.*

*Attempting to self-decrypt the file will result in the loss of your data.*

Impact

• Unauthorized Access
• Data Exfiltration
• File Encryption

Indicators of Compromise

MD5

• 7cf555f19ba515243ee821151f74ee2f

SHA-256

• bd8f2ba8c8ffb37cbbe32c62fd2548b830e4563ecf0580bb0488fa87b7ca4442

SHA-1

• fc0f14627acf46d6376a35d51b3077298aa56295

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.