First discovered in November 2014, BandarChor has been infecting user PCs ever since, encrypting their files with a strong AES-256 cipher. The latest discoveries of this ransomware indicated that it uses an AES-256 encryption algorithm to scramble user files and make them un-openable, leaving the only option for decryption to be paying ransom money usually in BitCoin to the cyber-criminals. Either way, this is not advisable since a decryptor may soon be released for this virus and it may allow users to decode their files for free. In the mean-time, we strongly advise reading the instructions in this article and try alternative methods to restore your files.
|Short Description||The malware encrypts users’ files with an AES-256 cipher after which drops ransom message as a picture, named “fud.bmp”|
|Symptoms||The user may witness ransom note set as a wallpaper asking to contact the cyber-crooks’ e-mail for more information.|
|Distribution Method||Via an Exploit Kit, spam e-mail campaigns, malicious files posted online and malicious URLs.|
|Detection Tool|| See If Your System Has Been Affected by BandarChor |
Malware Removal Tool
|User Experience||Join our forum to Discuss BandarChor Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
BandarChor Ransomware – Distribution Methods
To spread, as previously analyzed by F-Secure researchers in 2015, the BandarChor Ransomware is reported to use the following related domains:
Web links of these domains may be spread throughout the web via Referral Spam or spam messages in social media accounts. For example, duplicate Facebook accounts may be used to add people and spread malware to them.
BandarChor Ransomware – More Information About It
As soon as it has been dropped on your device, BandarChor Ransomware may drop one or more malicious files in key Windows folders. In addition to that the files may have different names:
After the files have been dropped on the computer of the infected user, BandarChor may begin its scanning operation. The virus goes down through every file and folder, except the key folders without which Windows can no longer function:
- %Program Files% and %Program Files (x86)%
- %System Volume Information%
As soon as it has detected all files of the below mentioned types outside of those folders, BandarChor Ransomware begins to encrypt them:
After encryption, BandarChor Ransomware adds a file extension which includes a unique identifier plus its e-mail address:
Besides the main e-mail (firstname.lastname@example.org) the virus is also associated with other e-mail addresses, like:
After encryption, BandarChor adds an image, called fud.bmp which has its ransom message:
The cyber-criminals are not very extensive in their instruction to the user, instead, they ask to contact them for more instructions. This is most likely an invitation to the negotiation of the ransom payment. The cyber-criminals may offer the free decryption of one file as a guarantee which we strongly advise users to take advantage off. This is because some decryptors, like Kaspersky’s utilities, may successfully decode your files in case you place an original file and an encrypted file. This is one of the reasons why experts strongly advise to copy the encrypted files, delete the ransomware and use other methods to try and restore them instead of paying off cyber-crooks.
Removal and File Restoration of BandarChor Ransomware
To completely remove BandarChor Ransomware, we urge you to use the instructions provided below. They are arranged so that you can find BandarChor’s registry entries and files and clean your computer from them. Security Experts strongly advise users to use an advanced anti-malware tool for maximum effectiveness and faster removal process.
In case you wish to try and restore your files, we urge you to attempt using the decryptors by Kaspersky, which you can find in step “3. Restore files encrypted by BandarChor Ransomware”. In case you have a copy of an original file and its encrypted form, you may want to try using the appropriate decrypters for them. There is also an option to try an restore your files from Shadow Copies In case you have them enabled. Another viable possibility is to try and use data-recovery software to compile back the old version of your files by scanning the sectors of your hard drives. Either method may not revert your files, but they are real alternative solutions that sometimes may work.