A new version of the BandarChor ransomware is being distributed via malicious advertisements on adult websites and store selling drones, alarm researchers.
This latest BandarChor`s variant was discovered by Proofpoint security researcher Kafeine and confirmed by the security experts Malwareforme and Lawrence Abrams. BandarChor is not a newly developed threat as it, together with CryptoWall, TeslaCrypt, CTB-Locker and TorrentLocker, is a part of the first crypto-lockers stream in 2015.
The very first BandarChor infections were noticed more than two years ago, in November 2014 and, in March 2015, the Finnish security company, F-Secure, published the first report about the ransomware. After that, the number of BandarChor infections decreased significantly but the ransomware didn’t sink. In fact, the ReaQta researchers spotted it again in March 2016.
As we said, BandarChor remained on the ransomware stage more than two years but it hardly changed its way of operation. Even now, it is still asking its target to contact BandarChor`s creator via email. Unsurprisingly, the email address is different in this latest version but this is a minor alteration.
The email address that the victims are required to use can be found in the ransom note, which BandarChor drops in each folder that contains encrypted data. This note is a text file names is HOW TO DECRYPT.txt and lists help@decryptservice.info, Shigorin.Vitolid@gmail, and a @DecryptService Telegram address, which the victims can use to get in touch with the hackers and receive payment instructions.
Moreover, the help@decryptservice.info email is used by the ransomware as the extension it appends at the end of each locked file. The pattern for adding this extension also hasn’t been changed through the years. It is still the following: [original_file_name].id-[ID]_[EMAIL_ADDRESS]. For instance, a file named “summer.jpg” after being encrypted becomes: summer.jpg.id-1235240425_help@decryptservice.info.
Researchers also said that this BandarChor version, just like its previous ones, also needs a working Internet connection to communicate with an online Command and Control server and still uses the same URL structure for the communication.
As we can see, this latest BandarChor version barely changed in comparison to its previous ones and the ransomware itself, which managed to survive all these years, continues to be a threat. This is probably because of the small number of users it infected which helped it stay under the radar for all this time.