Pearl Active
Ransomware group first observed in 2018. Uses BazarLoader for deployment.0
Total Victims
2018-02-01
First Seen
2026-02-04
Last Seen
0
Known TTPs
12.7d
Avg Delay
0
Negotiations
ONION URLS
peargxn3oki34c4savcbcfqofjjwjnnyrlrbszfv6ujlx36mhrh57did.onion
pearsmob5sn44ismokiusuld34pnfwi6ctgin3qbvonpoob4lh3rmtqd.onion
TOOLS
BazarLoader
IcedID
ConnectWise
SharpHound
FILE EXTENSIONS
.gone
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
| Date | Victim Name | Country | Sector | Status |
|---|---|---|---|---|
| No victims recorded | ||||
No TTPs data
Pearl_rule_1
CISA
rule Pearl_ransomware_1 {
meta:
description = "Detects Pearl ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "70aeb181ead5dcb349b697b83e8dfccdeb2514060cded082cda3f084ae6327da"
strings:
$h0 = { E8 E0 53 D3 7F 1B E6 AE EA 12 00 E7 1F 43 }
$h1 = { EC F7 E2 62 1F C4 A7 C6 }
$h2 = { 7E 50 E7 0D DE 08 86 BC 7C E1 F0 03 8D 9C 0E BA 6C 83 1E A4 B6 15 0C A }
$s3 = "PAYMENT" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Pearl_rule_2
RansomwareMonitor
rule Pearl_ransomware_2 {
meta:
description = "Detects Pearl ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "4ae452b53937fdb14d53efdcd893d0377596ecc7934b78675a42345fbed3643e"
strings:
$h0 = { FF 4D 6B 12 A0 3F D5 C6 04 11 13 4A C3 B6 6E C }
$s1 = "::::" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s3 = "README" nocase
$h4 = { CB CD A6 3B 40 0F 2A C6 41 E8 05 AD 4B 9D 77 EE D8 B }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}No ransom notes