Remove Ransomware

I wrote this article to help you remove Ransomware. This Ransomware removal guide works for all Windows versions.

The email address is associated with the latest version of the BandarChor ransomware. The name BandarChor may sound familiar as this ransomware, together with Crypto Wall, TorrentLocker, and TeslaCrypt, is a part of the fist crypto-locker stream in 2015. Now, BandarChor is back with a new version, which, however, hardly differentiates from its previous one. Either way, you are stuck with a dangerous infection which will lock your files and extort you for money. This is what all ransomware pieces do. They follow a pretty standard pattern – Invade, Encrypt, and Extort.

How BandarChor enters your system? Well, as you will never install it intentionally, the ransomware uses tricks to dupe you into approving its installation without realizing. One of its most popular tactics is spam. It relies on spam email messages which pose as legitimate ones and land directly into your mailbox. Usually, it is embedded in their malicious attachments and if you open this attachment you get infected. Another entering method is malvertising. The threat hides behind malicious ads displayed on shady websites and, once again, your click means you get infected. Other techniques this ransomware may use include Exploit Kits, fake updates, bundles software, Trojan horses, etc.

The tactics are many but if you are a little bit more careful you may prevent the infection. Don’t open suspicious emails, especially if you don’t know who they are from. Stay away from unverified download sources, pages, links, and torrents. And last but not least, be extra careful with third-party pop-ups. Don’t forget that what all infections need the most is your carelessness.

Once the ransomware slithers in, it wastes no time but proceeds with the encryption process. It performs a quick scan looking for files to lock and it doesn’t take it long to find them all. It targets your pictures, music, videos, Word files/doc, presentations, work-related data with AES-256 encryption algorithm so they all become inaccessible to you. You are no longer able to open any of them. You PC cannot recognize them due to the new “” extension BandarChor added. Yes, this version appends an email address as an extension.

The pattern used by BandarChor is [original_file_name].id-[ID]_[EMAIL_ADDRESS]. For example, a fine name “winter.jpg”, after being encrypted becomes “”. Seeing your files renamed like this means that they have been turned in unusable gibberish. You see their icons but you cannot open them. It goes without saying that there may be some very important stuff among the locked data. This is the moment where you could easily panic. However, this is exactly what the crooks want so do your best to remain calm.

When the encryption process is over, the ransomware drops it ransom note. This is a text file named HOW TO DECRYPT.txt and the threat drops it in every single folder which contains encrypted data as well as on your Desktop. The note list three emails: the primary one (the one used as an extension) –, a secondary one – Shigorin.Vitolid@gmail, and a @DecryptService Telegram address.

You are required to get in touch with the hacker via one of these email addresses so they could send you payment instructions. Don’t do that no matter what. Do you now see why you should do your best to stay calm? If you give in to panic you are more likely to comply. But this won`t help you. The crooks claim that once you pay they will send you a special decryption tool to help you unlock your data. Do you think it is worth it risking a hefty amount of money?

Cybercriminals are not famous for being reliable. They only care about getting your money and, once they have, they just forget about you and don’t send you anything. This is how you end up double-crossed. Most of the times you don’t get what you paid for. But even if they actually send you a working decryptor and you recover your files, the ransomware itself remains in your system.

The tool doesn’t delete it so it can encrypt your data again anytime. With paying, you lose either way, so forget it as an option. Not only that you have zero guarantees but you also helping crooks expand their business AND jeopardizing your privacy. Don’t become a sponsor of crooks. Use our removal guide, instead. It is easy to follow and completely free-of-charge. You can find it below. Also, now you know how dangerous cyber infections are so consider getting a reliable anti-malware program. Keep it updates and regularly scan your machine for intruders. Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link:
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.