Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group

Published:
May 12, 2022
5
min read
2021 saw an outbreak of ransomware groups and attacks that affected every major industry across the globe. This trend is expected to continue and even surpass the previous year’s numbers by a significant margin in 2022. In March 2022, researchers detected a new ransomware strain known as Pandora.

2021 saw an outbreak of ransomware groups and attacks that affected every major industry across the globe. This trend is expected to continue and even surpass the previous year’s numbers by a significant margin in 2022.

In March 2022, researchers detected a new ransomware strain known as Pandora which leverages double extortion tactics to exfiltrate and encrypt large quantities of personal data. The operators offer the decryption key once the victim pays the ransom demanded. Pandora ransomware is a relatively new operation and hence its infection techniques are unknown.

However, after infiltrating the target system, the ransomware appends the “.pandora” file extension to the encrypted files and leaves a ransom note “Restore_My_Files.txt” with instructions on how to recover the data. Researchers believe that the Pandora ransomware is a rebranded version of Rook ransomware, which in turn is a spawn of the leaked Babuk code. This article explores the technical analysis of the Pandora ransomware, its evasion tactics, the process of encryption, and more in detail.

Technical Analysis of Pandora

The analysis of Pandora’s binary file sample, 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b, indicates that it is a UPX (Ultimate Packer for eXecutables) packed binary file. UPX is an executable file compressor used by threat actors to add a layer of obfuscation (creation of code that is difficult for humans to understand) to their malware. The ransomware code runs from the original entry point after getting unpacked in the memory.

Ransomware code running from the entry point
Ransomware code running from the entry point

 

The ransomware uses obfuscated strings and deobfuscates library names and internal functions at runtime. The library modules used by Pandora are dynamically loaded on a per-use basis via the following APIs:









Initially, the ransomware creates a mutex (mutual exclusion object, which enables multiple program threads to take turns sharing the same resource) to make sure only one instance of the malware is running on the system. The mutex string, “ThisIsMutexa”, gets deobfuscated in the memory. It checks for any existing mutex on the system via OpenMutexA, if not present the malware creates a new one with the value “ThisIsMutexa” via CreateMutexA.

Anti-debug Mechanism

The malware implements anti-debug checks to hinder analysis.

Anti Debug Check
Anti Debug Check

 









Evasion Techniques

Instrumentation Callback Bypass

The security endpoints (especially ETWTi) of a device use the instrumentation callback process to check for behavioral anomalies and detect novel malware on the system. Pandora ransomware bypasses such a callback mechanism via ntsetinformationprocess, which changes the process information.





ntsetinfromationprocess being invoked
ntsetinfromationprocess being invoked

 





The third argument (10-byte long structure)
The third argument (10-byte long structure)




If the process created for the malware is hooked by security services via callback member, invoking the ntsetinformationprocess in a way mentioned above with callback set to 0, it helps the malware bypass such hooks.

Event Tracing Bypass

Event Tracing for Windows (ETW) is a powerful tracing facility built into the operating system, to monitor various activities of both userland and kernel land applications running on the system. This feature has become a vital instrument to endpoint security solutions to detect anomalous behavior in running programs. As a result, malware developers have started integrating functionalities in their malware to neutralize the tracing capability. One such vector is patching ETW related functions defined in ntdll.dll in the memory.





Deobfuscation of “EtwEventWrite”
Deobfuscation of “EtwEventWrite”

 









Arguments passed to VirtualProtectEx
Arguments passed to VirtualProtectEx

 





The data passed to WriteProcessMemory
The data passed to WriteProcessMemory

 





One byte payload - 0xC3
One byte payload – 0xC3

 





Memory protection of EtwEventwrite
Memory protection of EtwEventwrite

 

Pre-encryption Phase

Before the encryption begins, the malicious software changes the shutdown parameters for the system via SetProcessShutdownParameters API. This function sets a shutdown order for the calling process relative to the other processes in the system. Here, the malware invokes the API with zero value so that the ransomware program is the last to shut down by the Operating System.

Data passed to SetProcessShutdownParameters
Data passed to SetProcessShutdownParameters

 

After setting these shutdown parameters, the malware empties the recycle bin via SHEmptyRecyclebinA API.

The ransomware raises the priority of the running process to the highest possible priority which is REALTIME_PRIORITY_CLASS  via SetPriorityClass API. The second argument is the “dwPriorityClass” parameter which has a value of 0x100.

Data passed to SetPriorityClass
Data passed to SetPriorityClass

 

Finally, the volume shadow copies are deleted by executing a string of commands via ShellExecuteA. It uses vssadmin to perform the task of deleting the shadow files.

Deleting shadow files using vssadmin
Deleting shadow files using vssadmin

 

Encryption Phase: Threading Model

The main thread of malware creates two new threads that are responsible for the encryption of user data.

Creation of two new threads
Creation of two new threads

 

The following APIs are used to create the threads:









The threads are created with dwCreationFlags set to CREATE_SUSPENDED, later the execution of threads is resumed via ResumeThread.

The main thread starts to enumerate the drives present on the system via the following APIs:















Pandora utilizes Windows I/O Completion Ports to efficiently speed up the encryption process. Following APIs are used to orchestrate the search and locking of the user data:









Initially, the main thread of the malware creates an input/ output (I/O) completion port via CreateIoCompletionPort API.

Data passed to CreateIoCompletionPort
Data passed to CreateIoCompletionPort

 









In general, ransomware in the wild has adopted a model to optimize the encryption process. The goal here is to efficiently utilize the power of multicore processors to concurrently perform file enumeration and encryption. A group of worker threads would fetch the file paths and post them in the queue via PostQueuedCompletionStatus, and another thread can retrieve the posted files (paths) for encryption via GetQueuedCompletionStatus.

Optimization of the encryption process
Optimization of the encryption process

 

Pandora uses the RSA 4096 algorithm for encryption, the public key is embedded within the malware.

Public key embedded in the malware
Public key embedded in the malware

 

As a prior step to the encryption process, the malware accesses directories in the network drives and dumps the ransom note (Restore_My_Files.txt). The ransom note is created using the following three APIs:









Contents of the ransom note
Contents of the ransom note

 

Encryption Process

The process explained in this section is executed by worker threads highlighted in the image below. These threads can concurrently enumerate and encrypt data via the Windows I/O completion port.

Worker Threads
Worker Threads

 









AppDataOpera SoftwareBootMozillaWindows.oldMozilla FirefoxTor BrowserProgramDataInternet ExplorerProgram FilesGoogleProgram Files (x86)Opera#recycle





Autorun.infbootmgfw.efiboot.inidesktop.inibootfont.biniconcache.dbbootsect.bakntldrbootmgrNtuser.datbootmgr.efiRestore_My_Files.txt





.hta.cur.exe.drv.dll.hlp.cpl.icl.ini.icns.cab.ico.idx.sys.spl.ocx.pandora













Renamed file with the “.pandora” extension
Renamed file with the “.pandora” extension

 

Registry Keys

HKCU registry key
HKCU registry key

 

Pandora ransomware writes two values, Private and Public, under the HKCU/ Software registry key. The public value has the public key used by the ransomware to encrypt the user files, while the private value has the protected private key stored for decryption. The decryptor tool that the victim receives after paying the ransom uses this information stored in the registry to decrypt the locked files.

Indicators of Compromise

Binary5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7bRegistryHKCU\Software\PrivateHKCU\Software\PublicDropped FilesRestore_My_Files.txt

Share this post
Contributors to this Article
Anandeshwar Unnikrishnan
Anandeshwar is a Threat Intelligence Researcher at CloudSEK. He is a strong advocate of offensive cybersecurity. He is fuelled by his passion for cyber threats in a global context. He dedicates much of his time on Try Hack Me/ Hack The Box/ Offensive Security Playground. He believes that "a strong mind starts with a strong body." When he is not gymming, he finds time to nurture his passion for teaching. He also likes to travel and experience new cultures.

Join our Newsletter

Sign up so that you don't miss any updates from us

We care about your data in our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Search

Didn't Find what you are looking for search here