What is Pandora Ransomware:

Pandora ransomware is a type of malicious software that threatens computers by destroying or blocking access to critical data or systems until a ransom is paid.

It became known in March 2022 when DENSO, a well-known automotive manufacturer, was breached. Afterward, several malware researchers analyzed samples of Pandora and concluded that it is a variant of the Rook ransomware (a highly recognized malicious software that first appeared on VirusTotal in November 2021). They found that Pandora encrypts files and adds the extension ".pandora" to file names.

 

Pandora Ransomware Detection:

Cyber Radar has two Pandora tracking techniques as follows:

  • File Integrity Monitoring (FIM) is a security measure that detects file creation, deletion, or modification and records the hashes of files using algorithms such as SHA1, MD5, SHA256, and IMPHASH. It then compares the hashes of all files with our database (Threat Intelligence), and if a hash matches that of Pandora, a corresponding notification will be generated on the Cyber Radar dashboard, and the file will be automatically deleted.

  • Logging and Event Evaluation in Windows: Through a thorough analysis of the processes executed by Pandora, it has been determined that it deletes shadow copies using the vssadmin process. Cyber Radar has the capability to detect these actions when they occur on a system and generate the corresponding notification on the dashboard. The notifications are analyzed and evaluated, and necessary actions are taken to address the event.

The following image shows the processes created by Pandora, including the use of vssadmin to delete shadow copies.