Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


BandarChor Ransom Virus 2016 – Remove It and Restore .ID Encrypted Files

bandarchor-ransomwareFirst discovered in November 2014, BandarChor has been infecting user PCs ever since, encrypting their files with a strong AES-256 cipher. The latest discoveries of this ransomware indicated that it uses an AES-256 encryption algorithm to scramble user files and make them un-openable, leaving the only option for decryption to be paying ransom money usually in BitCoin to the cyber-criminals. Either way, this is not advisable since a decryptor may soon be released for this virus and it may allow users to decode their files for free. In the mean-time, we strongly advise reading the instructions in this article and try alternative methods to restore your files.

Threat Summary

Name

BandarChor

Type Ransomware
Short Description The malware encrypts users’ files with an AES-256 cipher after which drops ransom message as a picture, named “fud.bmp”
Symptoms The user may witness ransom note set as a wallpaper asking to contact the cyber-crooks’ e-mail for more information.
Distribution Method Via an Exploit Kit, spam e-mail campaigns, malicious files posted online and malicious URLs.
Detection Tool See If Your System Has Been Affected by BandarChor

Download

Malware Removal Tool

User Experience Join our forum to Discuss BandarChor Ransomware.

BandarChor Ransomware – Distribution Methods

To spread, as previously analyzed by F-Secure researchers in 2015, the BandarChor Ransomware is reported to use the following related domains:

martyanovdrweb.com
89025840.com
xsmailsos.com
sosxsmaillockedwriteonxsmailindia.com
www.ahalaymahalay.com
kapustakapaet.com
www.netupite.com
baitforany.com
euvalues.com
www.decryptindia.com
www.enibeniraba.com

Web links of these domains may be spread throughout the web via Referral Spam or spam messages in social media accounts. For example, duplicate Facebook accounts may be used to add people and spread malware to them.

BandarChor Ransomware – More Information About It

As soon as it has been dropped on your device, BandarChor Ransomware may drop one or more malicious files in key Windows folders. In addition to that the files may have different names:

commonly used file names and folders

After the files have been dropped on the computer of the infected user, BandarChor may begin its scanning operation. The virus goes down through every file and folder, except the key folders without which Windows can no longer function:

  • %Windows%
  • %Program Files% and %Program Files (x86)%
  • %ProgramData%
  • %System Volume Information%
  • %Temp%

As soon as it has detected all files of the below mentioned types outside of those folders, BandarChor Ransomware begins to encrypt them:

.001 .113 .1cd .3gp .73b .a3d .abf .abk .accdb .ace .arj .as4 .asm .asvx .ate .avi .bac .bak .bck .bkf .bup .bvd .cdr .cer .cng .cpt .cryptra .csv .db3 .dbf .dco .doc .docx .dwg .enx .erf .fbf .fbk .fbw .fbx .fdb .fdp .gbk .gho .gzip .iv2i .jac .jbc .jpeg .jpg .kbb .key .keystore .ldf .m2v .m3d .max .mdb .mkv .mov .mpeg .nba .nbd .nrw .nx1 .odb .odc .odp .ods .odt .old .orf .p12 .pdf .pef .pkey .ppsx .ppt .pptm .pptx .pst .ptx .pwm .pz3 .qic .r3d .rar .raw .rtf .rwl .rx2 .rzx .safe .sbs .sde .sgz .sldasm .sldprt .sle .sme .sn1 .sna .spf .sr2 .srf .srw .tbl .tib .tis .txt .vhd .wab .wallet .wbb .wbcat .win .wps .x3f .xls .xlsb .xlsk .xlsm .xlsx .zip Source: Symantec

After encryption, BandarChor Ransomware adds a file extension which includes a unique identifier plus its e-mail address:

→Document.docx.id-{ID Number}_fud@india.com

Besides the main e-mail (fud@india.com) the virus is also associated with other e-mail addresses, like:

  • fud@lycos.com
  • fudx@lycos.com
  • europay@india.com

After encryption, BandarChor adds an image, called fud.bmp which has its ransom message:

“Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key recovery is impossible!
To get the decoder and the original key, you need to write to us at the e-mail fud@india.com with the subject “encryption” stating your id.
Write on the case, do not waste your and our time on empty threats.
Responses to letters only appropriate people are not adequate ignore.
fudx@lycos.com” Source:Enigmasoftware.com

The cyber-criminals are not very extensive in their instruction to the user, instead, they ask to contact them for more instructions. This is most likely an invitation to the negotiation of the ransom payment. The cyber-criminals may offer the free decryption of one file as a guarantee which we strongly advise users to take advantage off. This is because some decryptors, like Kaspersky’s utilities, may successfully decode your files in case you place an original file and an encrypted file. This is one of the reasons why experts strongly advise to copy the encrypted files, delete the ransomware and use other methods to try and restore them instead of paying off cyber-crooks.

Removal and File Restoration of BandarChor Ransomware

To completely remove BandarChor Ransomware, we urge you to use the instructions provided below. They are arranged so that you can find BandarChor’s registry entries and files and clean your computer from them. Security Experts strongly advise users to use an advanced anti-malware tool for maximum effectiveness and faster removal process.

In case you wish to try and restore your files, we urge you to attempt using the decryptors by Kaspersky, which you can find in step “3. Restore files encrypted by BandarChor Ransomware”. In case you have a copy of an original file and its encrypted form, you may want to try using the appropriate decrypters for them. There is also an option to try an restore your files from Shadow Copies In case you have them enabled. Another viable possibility is to try and use data-recovery software to compile back the old version of your files by scanning the sectors of your hard drives. Either method may not revert your files, but they are real alternative solutions that sometimes may work.

Manually delete BandarChor from your computer

Note! Substantial notification about the BandarChor threat: Manual removal of BandarChor requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove BandarChor files and objects
2. Find malicious files created by BandarChor on your PC
3. Fix registry entries created by BandarChor on your PC

Automatically remove BandarChor by downloading an advanced anti-malware program

1. Remove BandarChor with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by BandarChor in the future
3. Restore files encrypted by BandarChor
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.