Ransomware - Pandora

Pandora
Decryptor Available
No
Description

Pandora is one of several ransomware strains used by the Chinese-affiliated group BRONZE STARLIGHT. Depending on where you get your information, this group is known by several names - DEV-0401, Cinnamon Tempest, Emperor Dragonfly, and SLIME34. Whatever you call them, they reference the same individual(s). This group has been reported to use several different ransomware for intellectual property theft, using ransomware as a distraction. Pandora is the chronological fifth ransomware used by the group, coming after LockFile, AtomSilo, Rook, and NightSky. LockFile and AtomSilo used a somewhat proprietary encryptor which eventually was cracked by researchers, allowing them to release a decryptor for them. That is when the group pivoted to Rook. NightSky and Pandora are variants of Rook, which itself is a variant of Babuk. Therefore, you have a lineage that looks roughly like this:

LockFile -> AtomSilo

Babuk -> Rook -> NightSky & Pandora

As with Babuk/Rook, Pandora uses a hybrid approach when encrypting files on a victim's machine, combining AES and RSA. AES to encrypt the file contents and RSA to encrypt the AES symmetric key. Besides a couple of other subtle nuances in the ransom note, rans note file names, communication email names, encrypted file extensions, and dark web data leak sites, there are very few noticeable differences. One interesting overlap between Rook and Pandora is one of the victims - a Japanese headquartered automobile manufacturer. This is one of several different pieces of evidence supporting the fact that the same threat actor is responsible for all of these ransomware strains. The other is the similar encryptors and chronological timeline of using these various ransomware strains.

Ransomware Type
Crypto-Ransomware
Data Broker
Country of Origin
China
First Seen
Last Seen
Lineage
Threat Actors
Typ
Actor
APT
BRONZE STARLIGHT
Extortion Types
Direct Extortion
Double Extortion
Extortion Price Increases
Free Data Leaks
Communication
Mittel
Bezeichner
Encryption
Type
Hybrid
Files
AES-128
Key
RSA-2048
File Extension
<file name>.<file extension>.pandora
Ransom Note Name
Restore_My_Files.txt
Ransom Note Image
035e930157848f2a4439c096471d2296b0d7379d92a1762a0de5f51ab106be68
0c124bbdc6574ff0b96d14789ddc49439b648634df131423ef7f25040f8d40dd
0c923951881165045edfb014e52d3bbdcfc131554cf5566acd67f254775dbe45
0fac541a5613a69dd16690d16ebf4b2fad3ac4fc86b9b5f8fd715a003c027a1e
1d4286e854b42961bdf7bc7d371fde3c1169da3932da7920dc06579a28b8797c
1f172321dfc7445019313cbed4d5f3718a6c0638f2f310918665754a9e117733
2c940a35025dd3847f7c954a282f65e9c2312d2ada28686f9d1dc73d1c500224
584d86393fe3cea85b513141f4c44d90a99aacae2a796a63cc1eb1b17f6a11d5
5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b
627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb
63032dc963e4160af546050e24d3ea394905650a6acf83c5b5ae6c14c1eef0e0
7a2c7cc3515e6d3d60bb4a00b6ac3cb851468f2f08bbcb75453d8a2a5bdd55da
8c1427c09c2eb60382145e4abe06fe1a5108c899d289ad4b47a5259036b0b76a
Industry Sector Land Extortion Date Amount (USD)
LegalUnited States
ElectronicsJapan
Banking & FinanceUnited States
AutomotiveJapan
Media & MarketingUnited States
Banking & FinanceUnited States