Ransomware - Pacman

Pacman
Aliases
Wakka Wakka
Decryptor Available
No
Description

The Pacman ransomware was discovered by @malwrhunterteam (Twitter) on April 1, 2019. The WatchGuard Threat Lab could not find a sample of this ransomware; thus, the technical information is based on open-source information. What we were able to discover is that it uses AES encryption to encrypt user's files. Once encrypted, the ransomware renames the encrypted files to include the ".encrypted" extension. Interestingly, the file extension isn't concatenated at the end, it's injected into the middle of the original file name. For example, if it were to encrypt a file named "readme.txt," the encrypted version would look like "readme.encrypted.txt." After the encryption event, the ransomware invokes a modal named "Pacman," which serves as the ransom note. Researchers state that it is a GIF of Pacman eating the ghosts, but we can't confirm that without the sample. However, the ransom note does demand the victim to pay 0.2 BTC, which was around $1,500 at the time, as the ransom note shows. Once the victim was to pay, the ransomware operator(s) would verify the payment on the Bitcoin blockchain, and hopefully, they would send the decryption key(s). Finally, the ransom note is in English and German, which could indicate that they targeted English and German users. However, we know of no victims of this ransomware.

Ransom note pictured derived from @malwrhunterteam

Ransomware Type
Crypto-Ransomware
First Seen
Last Seen
Extortion Types
Direct Extortion
Extortion Amounts
Amount
0.2BTC($1,500)
Communication
Medium
Identifier
Encryption
Type
Symmetric
Files
AES
Crypto Wallets
Blockchain Type
Crypto Wallet
BTC
17yKCVNb7EQQpr5ABKGcVpGSPVWFTxhReR
File Extension
<file name>.encrypted.<original file extension>
Ransom Note Name
Pacman
References & Publications