'PacMan' Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 24,099 |
| Threat Level: | 100 % (High) |
| Infected Computers: | 24 |
| First Seen: | March 26, 2015 |
| Last Seen: | January 30, 2026 |
| OS(es) Affected: | Windows |
The 'PacMan' Ransomware is a threat that is used to take money from the victims of this threat. The 'PacMan' Ransomware infection has been used to target Danish chiropractors through the use of highly specific phishing. The 'PacMan' Ransomware will stop legitimate Windows services and utilities from running on an affected computer. The 'PacMan' Ransomware is a variant of cryto-malware or ransomware infections that encrypt victims' files, effectively keeping the PC user's files unusable until a ransom is paid in exchange for the decryption key. The 'PacMan' Ransomware receives its name because the threat's creator goes by the nickname 'Pac Man' online.
How the 'PacMan' Ransomware is Spread
The 'PacMan' Ransomware is distributed using phishing email messages with advanced social engineering. The 'PacMan' Ransomware phishing emails contain an embedded link to a Dropbox file. This file contains the 'PacMan' Ransomware infection, installing it on the victim's computer when the link is clicked. Unlike many other similar ransomware threats, the 'PacMan' Ransomware does not only encrypt the victim's files; the 'PacMan' Ransomware has the capability to log keystrokes on the victim's computer (potentially collecting data), and interfere with the affected computer's settings.
Analyzing the 'PacMan' Ransomware Attack
As soon as the 'PacMan' Ransomware runs on the victim's computer, the 'PacMan' Ransomware will start encrypting files on the victim's computer that could contain important information. The 'PacMan' Ransomware may target Microsoft Office documents, image files, video game savers, database files and other types of documents. As soon as the 'PacMan' Ransomware finishes encrypting the victim's files, the 'PacMan' Ransomware will display the ransom message on the victim's Desktop. The 'PacMan' Ransomware is much more aggressive when it comes to paying the ransom than other similar threats. The 'PacMan' Ransomware is clear, if the ransom is not paid within 24 hours, then the files will remain encrypted. Unfortunately, decryption of the affected files is impossible without the encryption key. Because of this, the best ways of protecting oneself from the 'PacMan' Ransomware is to back up all sensitive files and to prevent threat attacks through the use of safe browsing procedures and strong security software and protocols.
The 'PacMan' Ransomware's Features and Capability
Malware analysts have analyzed the 'PacMan' Ransomware and have observed that this threat is developed in .NET. PC security analysts have also noticed an interesting development: the 'PacMan' Ransomware has keylogging capabilities. Apart from its encryption and keylogging capabilities, the 'PacMan' Ransomware will terminate certain Windows utilities, including Task Manager, Registry Editor, Terminal, PowerShell, System Restore, Windows Backup and Msconfig. These tools could potentially be used to remove the 'PacMan' Ransomware from an affected computer or to detect or stop its attack.
Potential Sources of the 'PacMan' Ransomware Attack
Malware analysts suspect that the creator of the 'PacMan' Ransomware is quite likely from Denmark. The messages that are associated with the 'PacMan' Ransomware are written in flawless Danish and use a social engineering approach to attacking inexperienced computer users. Most importantly, the 'PacMan' Ransomware attacks are highly targeted, meaning that targets are carefully selected rather than casting a wide net. PC security researchers have been alarmed at the skill behind the 'PacMan' Ransomware attack, making it likely that the perpetrators of this attack present a high risk for additional attacks. While the 'PacMan' Ransomware itself is fairly standard, the social engineering approach that underlies the 'PacMan' Ransomware attack means that this may be part of a larger campaign to target other vulnerable parties in Denmark. The effective attack on Danish chiropractors makes it highly likely that other businesses and private individuals in Denmark could fall for the same tactic. Because of this, malware analysts warn computer users in Denmark against phishing attacks that could be used to distribute the 'PacMan' Ransomware.
Analysis Report
General information
| Family Name: | Ryuk.E Ransomware |
|---|---|
| Signature status: | Root Not Trusted |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
5b020f951bcb5f70c9f598dd0a34addf
SHA1:
691627bc4c59943bdbb6e6764eec1e79bc423c46
SHA256:
D5DE1AC1A5414DC6DE88E5CFFBC131A3780CB084041AF80A1D83CB4679175625
File Size:
220.92 KB, 220920 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Light Motion Development OÜ | Certum Trusted Network CA 2 | Root Not Trusted |
File Traits
- No Version Info
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 417 |
|---|---|
| Potentially Malicious Blocks: | 4 |
| Whitelisted Blocks: | 393 |
| Unknown Blocks: | 20 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
|
