December 16, 2016
Malicious ads displayed on several adult websites and a store selling quadrocopters (drones) are infecting visitors with a new version of the BandarChor ransomware.
Spotted by Proofpoint security researcher Kafeine, the new BandarChor version was confirmed by Bleeping Computer's Lawrence Abrams, and security researcher Malwareforme, who contributed to this report.
BandarChor still going strong after two years
Some of you might recognize BandarChor's name, as it was one of the ransomware variants, together with CTB-Locker, CryptoWall, TorrentLocker, or TeslaCrypt, that are part of the first surge of crypto-lockers that made its presence felt in 2015, and started the unending wave of ransomware we see today.
The first BandarChor ransomware infections were spotted in November 2014, and the first report into the ransomware's activities came from Finnish security firm F-Secure, in March 2015.
By the next year, the number of BandarChor infections went down, but the ransomware didn't die out, being spotted in March 2016 by ReaQta researchers.
New version, but same modus operandi
In spite of the fact it survived on the market more than two years, BandarChor has barely changed its initial mode of operation, still asking infected users to send an email to the ransomware's author(s).
BandarChor ransom note
As spotted by both F-Secure in 2015, and again by ReaQta in 2016, the crook(s) behind BandarChor hasn't updated the pattern used for this file extension
Files locked by BandarChor
Like in previous variants, BandarChor relies on a working Internet connection to talk to an online C&C server. This BandarChor variant communicates with the following remote servers:
Malwareforme stated that this variant of BandarChor continues to use the same url structure as previous versions when communicating with the Command & Control servers as shown below.As it appears, this BandarChor variant is yet another minor update to an continuing threat that has managed to survive all these years. This is most likely due to the small number of infections it made, which allowed it to avoid drawing attention from law enforcement agencies.