{
	"id": "9dead0db-db64-4eaf-88e9-ed3d40d87f38",
	"created_at": "2026-04-06T00:18:57.157587Z",
	"updated_at": "2026-04-10T03:21:49.587256Z",
	"deleted_at": null,
	"sha1_hash": "ec3ce3de4811fe46ca28ea7250d33820313c7c02",
	"title": "Cyble - Deep Dive Analysis – Pandora Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 800409,
	"plain_text": "Cyble - Deep Dive Analysis – Pandora Ransomware\r\nPublished: 2022-03-15 · Archived: 2026-04-05 17:37:10 UTC\r\nCyble Research Lab's analyzes Pandora Ransomware and the possibility that it may be a re-brand of Rook\r\nRansomware.\r\nPandora ransomware came into the spotlight in March 2022 after targeting some high-profile victims on its leak\r\nsite. The ransomware group announced its first victim on 21 Feb 2022 and has posted around five victims to date.\r\nFigure 1: Pandora ransomware data leak site\r\nDuring a routine threat hunting exercise, Cyble Research Labs came across the sample for this ransomware. Upon\r\nexecution, the file encrypts the victim’s system and drops the ransom note in each folder named\r\n“Restore_My_Files.txt.” After encryption, the file is renamed with the extension “.Pandora“.\r\nFigure 2: Encrypted Files\r\nTechnical Analysis\r\nhttps://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/\r\nPage 1 of 7\n\nThe malware (SHA 256: 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b) is packed\r\nusing the UPX packer. After unpacking, the payload is compiled using Visual C++. The file has encrypted strings\r\nand several jumps and calls that can make debugging difficult, as shown below.\r\nWorld's Best AI-Native Threat Intelligence\r\nFigure 3: Code flow of Pandora Ransomware\r\nThe malware runs a decryption loop that decrypts the strings present in the file, as shown in Figure 4. \r\nhttps://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/\r\nPage 2 of 7\n\nFigure 4: Decryption Loop\r\nInitially, the malware creates a mutex named “ThisIsMutexa” using CreateMutexA() API to ensure that only one\r\ninstance of the malware is running in the system.\r\nFigure 5: Creates Mutex\r\nThe malware then loads ntdll.dll and calls the NtSetInformationProcess () API, which changes the privilege level\r\nand sets the malware file as a critical process. The malware then disables the Event Tracing for Windows (ETW)\r\nby patching the EtwEventWrite() function and further bypasses Antimalware Scan Interface (AMSI) to evade\r\ndetection by Anti-Virus products.\r\nThe AMSI allows the integration of applications and processes with the anti-malware solution present on a system.\r\nAMSI scans files that are executed through PowerShell, Jscript, VBA, VBScript, etc.\r\nThe malware also calls SetProcessShutdownParameters() to reduce the process’s priority, i.e., set it to zero. This\r\nmeans that malware will be terminated last before the system shutdown so that the malware gets the maximum\r\namount of time possible to execute in the compromised machine.\r\nAfter altering the priority,  the malware calls SHEmptyRecycleBinA() API to empty the recycle bin to ensure no\r\ndeleted files are restored after encryption.\r\nLike other ransomware, the malware deletes shadow copies using vssadmin using ShellExecuteW() API, as shown\r\nin Figure 6.\r\nFigure 6: Deletes shadow copies\r\nhttps://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/\r\nPage 3 of 7\n\nBefore encrypting the machine, the malware gets the Volume details by calling the APIs such as:\r\nGetDriveTypeW()\r\nFindFirstVolumeW()\r\nFindNextVolumeW()\r\nGetVolumePathNamesForVolumeNameW()\r\nGetLogicalDrives()\r\nBefore initiating encryption, the ransomware checks and excludes specific folders from encryption – such as\r\nAppData, Boot, Windows, Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla,\r\nMozilla Firefox, ProgramData, Program Files, Program Files (x86).\r\nThe Ransomware also excludes certain files from encryption such as autorun.inf, boot.ini, bootfont.bin,\r\nbootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, ntuser.dat.\r\nAdditionally, specific extensions are also exempted from encryption – such as .pandora, .hta, .exe, .dll, .cpl, .ini,\r\n.cab, .cur, .drv, .hlp, .icl, .icns, .ico, .idx, .sys, .spl, .ocx.\r\nFinally, the ransomware searches for files using FindFirstFileW() and FindNextFileW () APIs and then proceeds to\r\nencrypt them.\r\nThe malware uses multithreading approach for faster encryption. It calls CreateThread(), SetThreadAffinityMask(),\r\nResumeThread(), CreteIOCompletionPort() and GetQueuedCompletionStatus() APIs for multithreading.\r\nFinally, the ransom note is displayed, as shown in Figure 7.\r\nFigure 7: Ransom note\r\nPossible ROOK ransomware re-brand:\r\nDuring our analysis, we found that the Tactic Technique and Procedures (TTPs) of the Pandora and ROOK\r\nransomware shared a lot of similarities.\r\nhttps://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/\r\nPage 4 of 7\n\nIn Dec 2021, ROOK ransomware posted on their leak site claiming to have attacked one of the world’s largest\r\nautomotive suppliers of technology and components. Following this, their leak site went down around the end of\r\nJan 2022.\r\nPandora ransomware in March 2022 posted the same victim on their leak site. Due to this incident and the\r\nsimilarities in how they operate,  it is suspected that Pandora might be a re-brand of ROOK ransomware.\r\nFigure 8: Pandora ransomware leak site\r\nConclusion \r\nThere’s a good chance that Pandora ransomware is a re-brand of ROOK ransomware. We had observed similar\r\nbehavior in the past when ransomware groups were coming up with new aliases when they were under scrutiny.\r\nPandora ransomware gang is suspected of leveraging the double extortion method where the TAs exfiltrate the\r\nvictim’s data followed by data encryption. Then, they threaten to leak the exfiltrated data on their leak site or on\r\ncybercrime forums.\r\nOrganizations can mitigate such attacks by monitoring the darkweb and acting upon early warning indicators such\r\nas compromised credentials, data breaches, and identifying vulnerabilities traded on cybercrime forums.\r\nOur Recommendations: \r\nEnforce password change policies for the network and critical business applications or consider\r\nimplementing multi-factor authentication for all remote network access points.\r\nReduce the attack surface by ensuring that sensitive ports are not exposed on the Internet.\r\nConduct cybersecurity awareness programs for employees and contractors.\r\nImplement a risk-based vulnerability management process for IT infrastructure to ensure that critical\r\nvulnerabilities and security misconfigurations are identified and prioritized for remediation.\r\nInstruct users to refrain from opening untrusted links and email attachments without verifying their\r\nauthenticity.\r\nDeploy reputed anti-virus and internet security software package on your company-managed devices,\r\nincluding PCs, laptops, and mobile devices.\r\nhttps://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/\r\nPage 5 of 7\n\nTurn on the automatic software update features on computers, mobiles, and other connected devices\r\nwherever possible and pragmatic.\r\nDefine and implement a backup process and secure those backup copies by keeping them offline or on a\r\nseparate network \r\nMITRE ATT\u0026CK® Techniques  \r\nTactic Technique ID Technique Name\r\nExecution T1059 Command and Scripting Interpreter\r\nPrivilege Escalation\r\nT1548\r\nT1134\r\nAbuse Elevation Control Mechanism\r\nAccess Token Manipulation\r\nDefense Evasion\r\nT1112\r\nT1027\r\nT1562.001\r\nModify Registry\r\nObfuscated Files or Information\r\nImpair Defenses: Disable or Modify Tools\r\nDiscovery\r\nT1082\r\nT1083\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nImpact\r\nT1490\r\nT1489\r\nT1486\r\nInhibit System Recovery \r\nService Stop\r\nData Encrypted for Impact\r\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\n0c4a84b66832a08dccc42b478d9d5e1b\r\n160320b920a5ef22ac17b48146152ffbef60461f\r\n5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b\r\nMd5  \r\nSHA-1 \r\nSHA-256 \r\nExecutable\r\nbinary\r\nAbout Us  \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk\r\nfootprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as\r\none of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with\r\noffices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,\r\nvisit www.cyble.com.   \r\nhttps://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/\r\nPage 6 of 7\n\nSource: https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/\r\nhttps://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/"
	],
	"report_names": [
		"deep-dive-analysis-pandora-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434737,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec3ce3de4811fe46ca28ea7250d33820313c7c02.pdf",
		"text": "https://archive.orkl.eu/ec3ce3de4811fe46ca28ea7250d33820313c7c02.txt",
		"img": "https://archive.orkl.eu/ec3ce3de4811fe46ca28ea7250d33820313c7c02.jpg"
	}
}