Ransom.Win64.PANDORA.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Ransomware requires the following additional components to properly run:

• %System%\versions.dll → encrypted binary, detected as Ransom.Win64.PANDORA.A.enc

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It does the following:

• It compares the time and date of execution to December 9, 2022 7:00:00 AM GMT
  • if less than, it will perform infinite sleep until the required date and time is met
  • if greater than, it will load and decrypt %System%\versions.dll in memory
• It writes the following as ransom note at the start of each encrypted file.
  

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• AppData
• Boot
• Windows
• Windows.old
• Tor Browser
• Internet Explorer
• Google
• Opera
• Opera Software
• Mozilla
• Mozilla Firefox
• Temp
• $Recycle.Bin
• System Volume Information
• $RECYCLE.BIN
• $WinREAgent
• ProgramData
• All Users
• bootmgr
• ntldr
• Program Files
• Program Files (x86)
• #recycle
• PerfLogs
• Recovery
• Public
• Default
• Default User

It appends the following extension to the file name of the encrypted files:

• .bak9

It avoids encrypting files with the following file extensions:

• .exe
• .dll
• .jar
• .inf
• .ini
• .bin
• .efi
• .db
• .dat
• .log
• .hta
• .cpl
• .cab
• .cur
• .sys
• .idx
• .drv
• .hlp
• .icl
• .icns
• .ico
• .ocx
• .pandora
• .spl
• .msi
• .iso
• .DAT
• .bak9