{
	"id": "4f51cea4-1252-4d66-8b8e-53a1350eff36",
	"created_at": "2026-04-06T00:21:48.812538Z",
	"updated_at": "2026-04-10T03:21:34.328461Z",
	"deleted_at": null,
	"sha1_hash": "b5f7f60154df3d7eb250cfe3d7bcabba33d92882",
	"title": "Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 327728,
	"plain_text": "Technical Analysis of Emerging, Sophisticated Pandora\r\nRansomware Group\r\nBy No items found.\r\nPublished: 2025-08-21 · Archived: 2026-04-05 13:57:00 UTC\r\n2021 saw an outbreak of ransomware groups and attacks that affected every major industry across the globe. This\r\ntrend is expected to continue and even surpass the previous year’s numbers by a significant margin in 2022.\r\nIn March 2022, researchers detected a new ransomware strain known as Pandora which leverages double extortion\r\ntactics to exfiltrate and encrypt large quantities of personal data. The operators offer the decryption key once the\r\nvictim pays the ransom demanded. Pandora ransomware is a relatively new operation and hence its infection\r\ntechniques are unknown.\r\nHowever, after infiltrating the target system, the ransomware appends the “.pandora” file extension to the\r\nencrypted files and leaves a ransom note “Restore_My_Files.txt” with instructions on how to recover the data.\r\nResearchers believe that the Pandora ransomware is a rebranded version of Rook ransomware, which in turn is a\r\nspawn of the leaked Babuk code. This article explores the technical analysis of the Pandora ransomware, its\r\nevasion tactics, the process of encryption, and more in detail.\r\nTechnical Analysis of Pandora\r\nThe analysis of Pandora’s binary file sample,\r\n5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b , indicates that it is a UPX (Ultimate\r\nPacker for eXecutables) packed binary file. UPX is an executable file compressor used by threat actors to add a\r\nlayer of obfuscation (creation of code that is difficult for humans to understand) to their malware. The ransomware\r\ncode runs from the original entry point after getting unpacked in the memory.\r\nRansomware code running from the entry point\r\nThe ransomware uses obfuscated strings and deobfuscates library names and internal functions at runtime. The\r\nlibrary modules used by Pandora are dynamically loaded on a per-use basis via the following APIs:\r\nLoadlibraryA\r\nGetProcAddress\r\nGetModuleHandleA\r\nInitially, the ransomware creates a mutex (mutual exclusion object, which enables multiple program threads to\r\ntake turns sharing the same resource) to make sure only one instance of the malware is running on the system. The\r\nmutex string, “ThisIsMutexa”, gets deobfuscated in the memory. It checks for any existing mutex on the system\r\nhttps://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/\r\nPage 1 of 10\n\nvia OpenMutexA, if not present the malware creates a new one with the value “ThisIsMutexa” via\r\nCreateMutexA.\r\nAnti-debug Mechanism\r\nThe malware implements anti-debug checks to hinder analysis.\r\nAnti Debug Check\r\nThe code highlighted in the image above reads data at the offset 0x60 from segment register GS. Windows\r\nstores the Thread Information Block (TIB) in FS [x86] and GS [x64] segment registers.\r\nThe TIB holds the Process Environment Block (PEB) at the offset 0x60. The malware accesses PEB of\r\nthe process via the GS register.\r\nLater the malware reads the data at the offset 0x2 in PEB (ds:[rsi+2]), which is the BeingDebugged\r\nmember in the PEB structure, and then compares the obtained value with 0. If the process is being\r\ndebugged then BeingDebugged will have a non zero value. If the test fails, the malware goes into an\r\ninfinite loop and does not proceed further.\r\nEvasion Techniques\r\nInstrumentation Callback Bypass\r\nThe security endpoints (especially ETWTi) of a device use the instrumentation callback process to check for\r\nbehavioral anomalies and detect novel malware on the system. Pandora ransomware bypasses such a callback\r\nmechanism via ntsetinformationprocess , which changes the process information.\r\nntsetinformationprocess is invoked with ProcessInstrumentationCallback as a part of\r\nProcessInformationClass.\r\nhttps://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/\r\nPage 2 of 10\n\nntsetinfromationprocess being invoked\r\nThe third argument in the above image is a 10-byte long structure associated with the provided\r\nProcessInstrumentationCallback information class.\r\nThe third argument (10-byte long structure)\r\nThe members and associated values in the structure are as follows:\r\nVersion=0 (0 for x64, 1 for x86)\r\nReserved=0\r\nCallback=0\r\nIf the process created for the malware is hooked by security services via callback member, invoking the\r\nntsetinformationprocess in a way mentioned above with callback set to 0, it helps the malware bypass such hooks.\r\nEvent Tracing Bypass\r\nEvent Tracing for Windows (ETW) is a powerful tracing facility built into the operating system, to monitor\r\nvarious activities of both userland and kernel land applications running on the system. This feature has become a\r\nvital instrument to endpoint security solutions to detect anomalous behavior in running programs. As a result,\r\nmalware developers have started integrating functionalities in their malware to neutralize the tracing capability.\r\nOne such vector is patching ETW related functions defined in ntdll.dll in the memory.\r\nThe ransomware dynamically loads ntdll.dll into the memory and deobfuscates the string\r\n“ EtwEventWrite ”.\r\nDeobfuscation of “EtwEventWrite”\r\nThe address of the EtwEventWrite function is obtained using GetProcAddress API. Getting the function\r\naddress is a very important step in patching, to bypass the ETW feature.\r\nhttps://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/\r\nPage 3 of 10\n\nBefore the malware commences patching, the memory protections on the region of committed pages,\r\nwhere EtwEventWrite resides in virtual address space, need to be changed, which is done via\r\nVirtualProtectEx API.\r\nThe memory region of pages where the first instruction of EtwEventWrite resides is changed to\r\nPAGE_EXECUTE_READWRITE to be patched.\r\nArguments passed to VirtualProtectEx\r\nThe WriteProcessMemory API is used to write one byte at the beginning of the EtwEventWrite function.\r\nThe second argument points to the beginning of EtwEventWrite, and the third argument is the one byte\r\nlong payload that gets written at the address of EtwEventWrite.\r\nThe data passed to WriteProcessMemory\r\nThe one byte payload is 0xC3, which is the opcode for the instruction “ret”. This makes EtwEventWrite to\r\nsimply return back to the caller function, without executing its logic to log an event when EtwEventWrite\r\nis invoked by other applications.\r\nOne byte payload – 0xC3\r\nAfter patching, the memory protection of EtwEventWrite is reverted back to the initial permission of\r\nPAGE_EXECUTE_READ via VirtualProtectEx.\r\nMemory protection of EtwEventwrite\r\nPre-encryption Phase\r\nBefore the encryption begins, the malicious software changes the shutdown parameters for the system via\r\nSetProcessShutdownParameters API. This function sets a shutdown order for the calling process relative to the\r\nother processes in the system. Here, the malware invokes the API with zero value so that the ransomware program\r\nis the last to shut down by the Operating System.\r\nhttps://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/\r\nPage 4 of 10\n\nData passed to SetProcessShutdownParameters\r\nAfter setting these shutdown parameters, the malware empties the recycle bin via SHEmptyRecyclebinA API.\r\nThe ransomware raises the priority of the running process to the highest possible priority which is\r\nREALTIME_PRIORITY_CLASS via SetPriorityClass API. The second argument is the “dwPriorityClass”\r\nparameter which has a value of 0x100.\r\nData passed to SetPriorityClass\r\nFinally, the volume shadow copies are deleted by executing a string of commands via ShellExecuteA. It uses\r\nvssadmin to perform the task of deleting the shadow files.\r\nDeleting shadow files using vssadmin\r\nEncryption Phase: Threading Model\r\nThe main thread of malware creates two new threads that are responsible for the encryption of user data.\r\nCreation of two new threads\r\nThe following APIs are used to create the threads:\r\nCreateThread\r\nhttps://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/\r\nPage 5 of 10\n\nSetThreadAffinityMask\r\nResumeThread\r\nThe threads are created with dwCreationFlags set to CREATE_SUSPENDED, later the execution of threads is\r\nresumed via ResumeThread.\r\nThe main thread starts to enumerate the drives present on the system via the following APIs:\r\nGetDriveTypeW\r\nFindFirstVolumeW\r\nGetVolumePathNamesForVolumeNameW\r\nSetVolumeMountPointW\r\nFindNextVolumeW\r\nGetLogicalDrives\r\nPandora utilizes Windows I/O Completion Ports to efficiently speed up the encryption process. Following APIs\r\nare used to orchestrate the search and locking of the user data:\r\nCreateIoCompletionPort\r\nPostQueuedCompletionStatus\r\nGetQueuedCompletionPort\r\nInitially, the main thread of the malware creates an input/ output (I/O) completion port via\r\nCreateIoCompletionPort API.\r\nData passed to CreateIoCompletionPort\r\nThe fourth argument is “NumberOfConcurrentThreads”. In our case, two threads are allowed to\r\nconcurrently process I/O completion packets for the I/O completion port.\r\nAfter the creation of the I/O port, a queue is created internally, to which threads can push the completion\r\nstatus.\r\nThe two threads created previously will be accessing I/O ports to perform file enumeration and encryption\r\non the infected system.\r\nIn general, ransomware in the wild has adopted a model to optimize the encryption process. The goal here is to\r\nefficiently utilize the power of multicore processors to concurrently perform file enumeration and encryption. A\r\ngroup of worker threads would fetch the file paths and post them in the queue via PostQueuedCompletionStatus,\r\nand another thread can retrieve the posted files (paths) for encryption via GetQueuedCompletionStatus.\r\nhttps://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/\r\nPage 6 of 10\n\nOptimization of the encryption process\r\nPandora uses the RSA 4096 algorithm for encryption, the public key is embedded within the malware.\r\nPublic key embedded in the malware\r\nAs a prior step to the encryption process, the malware accesses directories in the network drives and dumps the\r\nransom note (Restore_My_Files.txt). The ransom note is created using the following three APIs:\r\nCreateFileW\r\nWriteFileW\r\nCloseHandle\r\nhttps://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/\r\nPage 7 of 10\n\nContents of the ransom note\r\nEncryption Process\r\nThe process explained in this section is executed by worker threads highlighted in the image below. These threads\r\ncan concurrently enumerate and encrypt data via the Windows I/O completion port.\r\nWorker Threads\r\nAfter dumping the ransom note, the malware uses FindFirstFileW to open a handle to the files on the\r\ndisk.\r\nThe retrieved handle is checked against a set of directory names and file extensions.\r\nThe following directories are excluded from getting locked:\r\nAppData Opera Software\r\nBoot Mozilla\r\nWindows.old Mozilla Firefox\r\nTor Browser ProgramData\r\nInternet Explorer Program Files\r\nGoogle Program Files (x86)\r\nOpera #recycle\r\nhttps://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/\r\nPage 8 of 10\n\nThe following files are excluded from getting encrypted:\r\nAutorun.inf bootmgfw.efi\r\nboot.ini desktop.ini\r\nbootfont.bin iconcache.db\r\nbootsect.bak ntldr\r\nbootmgr Ntuser.dat\r\nbootmgr.efi Restore_My_Files.txt\r\nAnd the following extensions are excluded from getting locked:\r\n.hta .cur\r\n.exe .drv\r\n.dll .hlp\r\n.cpl .icl\r\n.ini .icns\r\n.cab .ico\r\n.idx .sys\r\n.spl .ocx\r\n.pandora\r\nAfter performing exclusion checks, the absolute path of the file that passed the check is computed and then\r\nthe thread calls for PostQueuedCompletionStatus to submit the path to the I/O queue previously created\r\nvia CreateIoCompletionPort.\r\nRight after the PostQueuedCompletionStatus call, the same worker thread can resume fetching the absolute\r\npath of the next file via FindNextFileW API.\r\nAnother worker thread can now call GetQueuedCompletionStatus to retrieve the absolute path of the\r\ntarget file to start encrypting the files.\r\nNext, the file attribute is changed via SetFileAttributesW API to FILE_ATTRIBUTE_NORMAL and\r\nthen the file is fetched for encryption via the following APIs:\r\nCreateFileW\r\nGetFileSizeEx\r\nReadFile\r\nSetFilePointerEx\r\nhttps://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/\r\nPage 9 of 10\n\nAfter setting up the file pointer to the target data, the encryption begins by loading the public key in the\r\nmemory, and the encrypted data is written to the file via WriteFile API. Later the file is renamed via\r\nMoveFileExW API to add “.pandora” extension to the encrypted file.\r\nRenamed file with the “.pandora” extension\r\nRegistry Keys\r\nHKCU registry key\r\nPandora ransomware writes two values, Private and Public, under the HKCU/ Software registry key. The public\r\nvalue has the public key used by the ransomware to encrypt the user files, while the private value has the protected\r\nprivate key stored for decryption. The decryptor tool that the victim receives after paying the ransom uses this\r\ninformation stored in the registry to decrypt the locked files.\r\nIndicators of Compromise\r\nBinary\r\n5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b\r\nRegistry\r\nHKCU\\Software\\Private\r\nHKCU\\Software\\Public\r\nDropped Files\r\nRestore_My_Files.txt\r\nSource: https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/\r\nhttps://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/"
	],
	"report_names": [
		"technical-analysis-of-emerging-sophisticated-pandora-ransomware-group"
	],
	"threat_actors": [],
	"ts_created_at": 1775434908,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b5f7f60154df3d7eb250cfe3d7bcabba33d92882.pdf",
		"text": "https://archive.orkl.eu/b5f7f60154df3d7eb250cfe3d7bcabba33d92882.txt",
		"img": "https://archive.orkl.eu/b5f7f60154df3d7eb250cfe3d7bcabba33d92882.jpg"
	}
}