Ransomware Report: The Rise of BandarChor

This week, we have received a number of reports on yet another ransomware, BandarChor.

This ransomware is not exactly fresh. The first infections that we’ve noticed related to this family came in already last November.

november (6k image)

We have had reports of BandarChor being spread via email and have seen indicators that it may have been distributed by exploit kits.

Upon execution, the malware drops a copy of itself in Startup directory as well as the ransom notification image.

filenames (11k image)

Then it proceeds in its attempt to encrypt files with various file extensions such as: doc, xls, jpg and the like.

fileext (5k image)

After encryption, the files will be renamed as [filename].id-[ID]_fud@india.com.

files (18k image)

Then it reports the user’s computer name and ID to a remote location via HTTP POST.

network (72k image)

Here’s what the ransom message looks like.

fud (24k image)

Here’s a list of other domains that we’ve seen related to this threat:

• martyanovdrweb.com
• www.fuck-isil.com
• www.ahalaymahalay.com
• kapustakapaet.com
• www.decryptindia.com
• www.enibeniraba.com
• www.netupite.com
• 89025840.com
• xsmailsos.com
• sosxsmaillockedwriteonxsmailindia.com
• baitforany.com
• euvalues.com

We are detecting this threat as Trojan:W32/BandarChor.


On 06/03/15 At 04:45 PM

Read more: Ransomware Report: The Rise of BandarChor

Story added 7. March 2015, content source with full text you can find at link above.