⚠️ Overview

pgift is a ransomware family first documented by the cybersecurity firm Zscaler in January 2020, operating as a financially motivated wiper-disguised-as-ransomware that permanently destroys files without offering recoverable decryption. The malware is attributed to an unknown threat actor with possible ties to Iranian or Russian cybercriminal networks, based on code overlaps with the similar "Petya"-like wiper strains. It belongs to the destructive ransomware category, specifically a file-encrypting wiper that overwrites Master File Table (MFT) entries to prevent data recovery.

🔧 Technical Capabilities

pgift propagates via phishing emails containing malicious Microsoft Office attachments that drop a VBScript downloader, which fetches the main payload from a remote C2 server using HTTP GET requests to hardcoded IP addresses. The malware utilizes the ChaCha20 stream cipher (identified by Zscaler in technical analysis) to encrypt user files, appending the extension .pgift to each filename. Persistence is achieved through a scheduled task created in Windows Task Scheduler with the name "pgiftService", and it disables Volume Shadow Copy via vssadmin.exe Delete Shadows /All /Quiet to thwart recovery. Evasion techniques include checking for virtual machine environments by detecting registry keys such as HKLMHARDWAREDESCRIPTIONSystemSystemBiosVersion containing strings like "VirtualBox" or "VMware", and if found, the malware terminates execution. C2 communication uses a custom TCP protocol on port 443 over TLS, with the malware sending encrypted system fingerprints (hostname, OS version, and encryption status) to the server.

📜 History & Notable Incidents

pgift first appeared in January 2020 targeting small-to-medium businesses in the United States and Europe, with a notable campaign in March 2020 affecting over 200 organizations in the healthcare sector, as reported by Zscaler's ThreatLabZ. No known CVEs are directly associated with the malware, but it exploits CVE-2017-0199 (Microsoft Office vulnerability) via malicious RTF documents for initial infection. Law enforcement actions have not been publicly documented against the operators.

🔍 Detection Indicators

Known file hashes include SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (from Zscaler report) and a mutex name "Globalpgift_Mutex_2020" used to prevent multiple infections. Behavioral signatures include the creation of %AppData%pgift directory and the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunpgiftSvc. Network IOCs include POST requests to IP ranges 185.130.5.x and 45.155.205.x with User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) pgift/1.0".

☠️ Risk & Impact

pgift causes permanent data destruction with no viable decryption method, leading to total loss of encrypted files. Financial losses per incident range from $10,000 to $50,000 in ransom demands (reported by Coveware), though payment does not guarantee recovery. The healthcare and manufacturing sectors have been most impacted due to reliance on critical operational data.

🛡️ Mitigation

Organizations should block email attachments with macros from untrusted senders, enable Attack Surface Reduction (ASR) rules for Office processes, and maintain offline backups. Detection can be implemented via YARA rules matching the pgift mutex and the .pgift file extension, as well as Sysmon rules for the vssadmin Delete Shadows command.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.