The Pacman ransomware was discovered by @malwrhunterteam (Twitter) on April 1, 2019. The WatchGuard Threat Lab could not find a sample of this ransomware; thus, the technical information is based on open-source information. What we were able to discover is that it uses AES encryption to encrypt user's files. Once encrypted, the ransomware renames the encrypted files to include the ".encrypted" extension. Interestingly, the file extension isn't concatenated at the end, it's injected into the middle of the original file name. For example, if it were to encrypt a file named "readme.txt," the encrypted version would look like "readme.encrypted.txt." After the encryption event, the ransomware invokes a modal named "Pacman," which serves as the ransom note. Researchers state that it is a GIF of Pacman eating the ghosts, but we can't confirm that without the sample. However, the ransom note does demand the victim to pay 0.2 BTC, which was around $1,500 at the time, as the ransom note shows. Once the victim was to pay, the ransomware operator(s) would verify the payment on the Bitcoin blockchain, and hopefully, they would send the decryption key(s). Finally, the ransom note is in English and German, which could indicate that they targeted English and German users. However, we know of no victims of this ransomware.
Ransom note pictured derived from @malwrhunterteam
![Pacman-RansomNote-Unknown[EN]](/sites/default/files/ransomware-images/Pacman-RansomNote-Unknown%5BEN%5D.png)
![Pacman-RansomNote-Unknown[DE]](/sites/default/files/ransomware-images/Pacman-RansomNote-Unknown%5BDE%5D.png)