BandarChor Ransom Virus 2016 – Remove It and Restore .ID Encrypted Files - How to, Technology and PC Security Forum |

BandarChor Ransom Virus 2016 – Remove It and Restore .ID Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

bandarchor-ransomwareFirst discovered in November 2014, BandarChor has been infecting user PCs ever since, encrypting their files with a strong AES-256 cipher. The latest discoveries of this ransomware indicated that it uses an AES-256 encryption algorithm to scramble user files and make them un-openable, leaving the only option for decryption to be paying ransom money usually in BitCoin to the cyber-criminals. Either way, this is not advisable since a decryptor may soon be released for this virus and it may allow users to decode their files for free. In the mean-time, we strongly advise reading the instructions in this article and try alternative methods to restore your files.

Threat Summary



Short DescriptionThe malware encrypts users’ files with an AES-256 cipher after which drops ransom message as a picture, named “fud.bmp”
SymptomsThe user may witness ransom note set as a wallpaper asking to contact the cyber-crooks’ e-mail for more information.
Distribution MethodVia an Exploit Kit, spam e-mail campaigns, malicious files posted online and malicious URLs.
Detection Tool See If Your System Has Been Affected by BandarChor


Malware Removal Tool

User ExperienceJoin our forum to Discuss BandarChor Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

BandarChor Ransomware – Distribution Methods

To spread, as previously analyzed by F-Secure researchers in 2015, the BandarChor Ransomware is reported to use the following related domains:

Web links of these domains may be spread throughout the web via Referral Spam or spam messages in social media accounts. For example, duplicate Facebook accounts may be used to add people and spread malware to them.

BandarChor Ransomware – More Information About It

As soon as it has been dropped on your device, BandarChor Ransomware may drop one or more malicious files in key Windows folders. In addition to that the files may have different names:

commonly used file names and folders

After the files have been dropped on the computer of the infected user, BandarChor may begin its scanning operation. The virus goes down through every file and folder, except the key folders without which Windows can no longer function:

  • %Windows%
  • %Program Files% and %Program Files (x86)%
  • %ProgramData%
  • %System Volume Information%
  • %Temp%

As soon as it has detected all files of the below mentioned types outside of those folders, BandarChor Ransomware begins to encrypt them:

.001 .113 .1cd .3gp .73b .a3d .abf .abk .accdb .ace .arj .as4 .asm .asvx .ate .avi .bac .bak .bck .bkf .bup .bvd .cdr .cer .cng .cpt .cryptra .csv .db3 .dbf .dco .doc .docx .dwg .enx .erf .fbf .fbk .fbw .fbx .fdb .fdp .gbk .gho .gzip .iv2i .jac .jbc .jpeg .jpg .kbb .key .keystore .ldf .m2v .m3d .max .mdb .mkv .mov .mpeg .nba .nbd .nrw .nx1 .odb .odc .odp .ods .odt .old .orf .p12 .pdf .pef .pkey .ppsx .ppt .pptm .pptx .pst .ptx .pwm .pz3 .qic .r3d .rar .raw .rtf .rwl .rx2 .rzx .safe .sbs .sde .sgz .sldasm .sldprt .sle .sme .sn1 .sna .spf .sr2 .srf .srw .tbl .tib .tis .txt .vhd .wab .wallet .wbb .wbcat .win .wps .x3f .xls .xlsb .xlsk .xlsm .xlsx .zip Source: Symantec

After encryption, BandarChor Ransomware adds a file extension which includes a unique identifier plus its e-mail address:

→{ID Number}

Besides the main e-mail ( the virus is also associated with other e-mail addresses, like:


After encryption, BandarChor adds an image, called fud.bmp which has its ransom message:

“Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key recovery is impossible!
To get the decoder and the original key, you need to write to us at the e-mail with the subject “encryption” stating your id.
Write on the case, do not waste your and our time on empty threats.
Responses to letters only appropriate people are not adequate ignore.”

The cyber-criminals are not very extensive in their instruction to the user, instead, they ask to contact them for more instructions. This is most likely an invitation to the negotiation of the ransom payment. The cyber-criminals may offer the free decryption of one file as a guarantee which we strongly advise users to take advantage off. This is because some decryptors, like Kaspersky’s utilities, may successfully decode your files in case you place an original file and an encrypted file. This is one of the reasons why experts strongly advise to copy the encrypted files, delete the ransomware and use other methods to try and restore them instead of paying off cyber-crooks.

Removal and File Restoration of BandarChor Ransomware

To completely remove BandarChor Ransomware, we urge you to use the instructions provided below. They are arranged so that you can find BandarChor’s registry entries and files and clean your computer from them. Security Experts strongly advise users to use an advanced anti-malware tool for maximum effectiveness and faster removal process.

In case you wish to try and restore your files, we urge you to attempt using the decryptors by Kaspersky, which you can find in step “3. Restore files encrypted by BandarChor Ransomware”. In case you have a copy of an original file and its encrypted form, you may want to try using the appropriate decrypters for them. There is also an option to try an restore your files from Shadow Copies In case you have them enabled. Another viable possibility is to try and use data-recovery software to compile back the old version of your files by scanning the sectors of your hard drives. Either method may not revert your files, but they are real alternative solutions that sometimes may work.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share