Pandora is one of several ransomware strains used by the Chinese-affiliated group BRONZE STARLIGHT. Depending on where you get your information, this group is known by several names - DEV-0401, Cinnamon Tempest, Emperor Dragonfly, and SLIME34. Whatever you call them, they reference the same individual(s). This group has been reported to use several different ransomware for intellectual property theft, using ransomware as a distraction. Pandora is the chronological fifth ransomware used by the group, coming after LockFile, AtomSilo, Rook, and NightSky. LockFile and AtomSilo used a somewhat proprietary encryptor which eventually was cracked by researchers, allowing them to release a decryptor for them. That is when the group pivoted to Rook. NightSky and Pandora are variants of Rook, which itself is a variant of Babuk. Therefore, you have a lineage that looks roughly like this:
LockFile -> AtomSilo
Babuk -> Rook -> NightSky & Pandora
As with Babuk/Rook, Pandora uses a hybrid approach when encrypting files on a victim's machine, combining AES and RSA. AES to encrypt the file contents and RSA to encrypt the AES symmetric key. Besides a couple of other subtle nuances in the ransom note, rans note file names, communication email names, encrypted file extensions, and dark web data leak sites, there are very few noticeable differences. One interesting overlap between Rook and Pandora is one of the victims - a Japanese headquartered automobile manufacturer. This is one of several different pieces of evidence supporting the fact that the same threat actor is responsible for all of these ransomware strains. The other is the similar encryptors and chronological timeline of using these various ransomware strains.
Samples (SHA-256)(13)
Known Victims(6)
Industry Sector | Land | Extortion Date | Amount (USD) |
---|---|---|---|
Legal | United States | ||
Electronics | Japan | ||
Banking & Finance | United States | ||
Automotive | Japan | ||
Media & Marketing | United States | ||
Banking & Finance | United States |