Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BandarChor Ransomware (<filename>.<id>-<10 digit random number>_<email>) Support


  • Please log in to reply
147 replies to this topic

#16 domyrat

domyrat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 05 March 2015 - 01:51 AM

I found out one more thing.

 

This crypto encrypts all stated files through network if there are shared folders on the network with read/write rights.

 

So, watch out on bad sharing (everyone full rights!!!)



BC AdBot (Login to Remove)

 


m

#17 FigureGR

FigureGR

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 05 March 2015 - 09:04 AM

Having the same problem as FigureGR but didn't got a popup on any of the machines used and no trace found of the virus..... In strong need of the data so allso think of paying them. What's your experience FigureGR (I have send you a message). 

 

So, i didnt had a splash screen as mentioned above, i just send an e-mail to them saying "what do you want?". They replied 10 hours later saying that i need a decrypt program and a key to have my files back. At this time i had allready disinfected all the clients and the 3 servers i have from malwares. They also told me to send them an encrypted file so they can decrypted it and send it back to me to its original state, I did that and after 2 hours i got the file intact.

 

I made a briefing conversation of the situation with my manager and we decided to pay the "bill".

 

We did pay them 1,85 BTC yesterday noon, it was a bit difficult to find a way to exchange real money (euro) with bitcoins. Anyway we did manage and find a way to do that. After that i send an e-mail to fund@.... and told them about the transaction. I waited until 23:00 to get a reply with a link at sendspace.com with a zip file containing the decode application and a text file with the decryption key.

Next i replied to their e-mail saying that i dont know from which computer the ransomware came into my lan, so they replied that i can execute the decoder from wherever i want into the lan, so i can have my files back.

So far so good?

Its really frustrating to me personal that i didnt had any chance to make it through it and we had to pay them 530 euros!

If i can help in any way, please dont hesitate to ask me.



#18 domyrat

domyrat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 05 March 2015 - 11:23 AM

You could help with sending the decrypting application. Some of us could find a key maybe on some pc?


Also, you could see if their decrypt application somehow is making a connection to their C&C server and snoop at it.



#19 EICT

EICT

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 05 March 2015 - 03:08 PM

@domyrat, here the decoder i got from FigureGR (who allready used it succesfully after he paid the bastards). It's a RAR file and you can download it from https://www.sendspace.com/file/47zm0l 

I shall upload it also to http://www.bleepingcomputer.com/submit-malware.php?channel=3 for examination.

 

Wondering when and how you managed to find the infected machine on your LAN. All the files you mentioned above couldn't be located on my site and neither on FigureGR his LAN. It looks like a hidden rootkit proces or something but don't know it for sure. The mentioned black popup screen with the instructions to contact them didn't appear on one of mine machines yet. Did it appear on your's immediately after the infection or also after a few (3) days what FigureGR noticed.

 

If anyone allready knows more, please let it know!



#20 domyrat

domyrat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 06 March 2015 - 02:32 PM

Black popup screen appears when encryption is fully done. If you interrupt the encryption process somehow (reset computer, antivirus .... ) no screen will be shown. I got all of that because our antivirus did not have the signatures for this malware yet....



#21 MeisterYoda

MeisterYoda

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 10 March 2015 - 05:41 PM

is there anything new about this ransomware? I got today encrypted by 'id-<Number>_europay@india.com'

 

I actualy don't know the way the came in.

 

It seems so, that Office-Documents are encrypted.

 

Has anybody experience with getting ridof it? And any ideas of Systemscanning?



#22 domyrat

domyrat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 11 March 2015 - 02:58 AM

Why can't I edit my posts so i can fill up more information about this crypto??



#23 jamcz

jamcz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 11 March 2015 - 04:18 AM

Hi,

 

I had found a curious thing about this trojan. It encrypts just only head of file of it's kind.

For example: for avi video file it encrypts first 30k; for pdf file it encrypts head to strings 'end="r"?>'.

Next data are original.



#24 luckym

luckym

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 11 March 2015 - 04:28 AM

I actually managed to repair my encrypted pst file and that really suprised me.

Did you try removing those 30k?



#25 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:27 PM

Posted 11 March 2015 - 04:30 AM

Why can't I edit my posts so i can fill up more information about this crypto??

Regular members can edit up to 24 hours later or until there is a reply to the post. Which ever comes first.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#26 domyrat

domyrat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 11 March 2015 - 05:54 AM

So, it's better to have information on all sides than in one place?



#27 jamcz

jamcz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 11 March 2015 - 05:55 AM

Did you try removing those 30k?

 

Yes, I did, but the file could not be played, of course.

 

The AVI file needs a head for interpretation. It isn't stream.



#28 jamcz

jamcz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 12 March 2015 - 05:53 AM

PDF encrypted file:

 

I was curious how sizable is encrypted part in PDF files.

 

original size:

-rwxrwxrwx 2 root wheel 124M Mar 5 15:13 Achtung_Panzer_No.2_Panzerkampfwagen_III.pdf.id-4894182966_fud@india.com
-rwxrwxrwx 2 root wheel 16M Mar 5 15:15 Armor In Action 2024 Pzkpfw III in action.pdf.id-4894182966_fud@india.com
-rwxrwxrwx 2 root wheel 35M Mar 5 15:15 Battleline_01_Workhorse.pdf.id-4894182966_fud@india.com
-rwxrwxrwx 2 root wheel 46M Mar 5 15:15 Concord 7013.pdf.id-4894182966_fud@india.com
-rwxrwxrwx 2 root wheel 24M Mar 5 15:15 Concord_7041_Achtung_Panzer.pdf.id-4894182966_fud@india.com
-rwxrwxrwx 2 root wheel 44M Mar 5 15:18 Firefly-Step-By-Step-FINAL.pdf.id-4894182966_fud@india.com
-rwxrwxrwx 2 root wheel 41M Mar 5 15:04 Panzer Tracts Pz.III A-D.pdf.id-4894182966_fud@india.com
-rwxrwxrwx 2 root wheel 25M Mar 5 15:04 Panzers of Kasserine.The Afrika Korps in Tunisia.pdf.id-4894182966_fud@india.com
-rwxrwxrwx 2 root wheel 12M Mar 5 14:52 WEATHERING GREATEST HITS.pdf.id-4894182966_fud@india.com
-rwxrwxrwx 2 root wheel 30M Mar 5 14:53 Wydawnictwo Militaria 141 Pz.Kpfw.IV (1).pdf.id-4894182966_fud@india.com
-rwxrwxrwx 2 root wheel 64M Mar 5 14:53 Wydawnictwo Militaria 147 PzKpfw IV vol.II [PL.pdf.id-4894182966_fud@india.com
-rwxrwxrwx 2 root wheel 26M Mar 5 14:56 _Panzer_Tracts___03-2_Panzerkampfwagen_III_Ausf_E-F-G-H_ENG.pdf.id-4894182966_fud@india.com

 

size after cutting non-encrypted part (encrypted part has been stayed):

-rwxr-xr-x 1 root wheel 1.2M Mar 12 11:29 Achtung_Panzer_No.2_Panzerkampfwagen_III.pdf.id-4894182966_fud@india.com
-rwxr-xr-x 1 root wheel 123k Mar 12 11:31 Armor In Action 2024 Pzkpfw III in action.pdf.id-4894182966_fud@india.com
-rwxr-xr-x 1 root wheel 1.0M Mar 12 11:30 Battleline_01_Workhorse.pdf.id-4894182966_fud@india.com
-rwxr-xr-x 1 root wheel 424k Mar 12 11:31 Concord 7013.pdf.id-4894182966_fud@india.com
-rwxr-xr-x 1 root wheel 245k Mar 12 11:30 Concord_7041_Achtung_Panzer.pdf.id-4894182966_fud@india.com
-rwxr-xr-x 1 root wheel 290k Mar 12 11:30 Firefly-Step-By-Step-FINAL.pdf.id-4894182966_fud@india.com
-rwxr-xr-x 1 root wheel 342k Mar 12 11:32 Panzer Tracts Pz.III A-D.pdf.id-4894182966_fud@india.com
-rwxr-xr-x 1 root wheel 640k Mar 12 11:32 Panzers of Kasserine.The Afrika Korps in Tunisia.pdf.id-4894182966_fud@india.com
-rwxr-xr-x 1 root wheel 114k Mar 12 11:32 WEATHERING GREATEST HITS.pdf.id-4894182966_fud@india.com
-rwxr-xr-x 1 root wheel 172k Mar 12 11:32 Wydawnictwo Militaria 141 Pz.Kpfw.IV (1).pdf.id-4894182966_fud@india.com
-rwxr-xr-x 1 root wheel 1.2M Mar 12 11:32 Wydawnictwo Militaria 147 PzKpfw IV vol.II [PL.pdf.id-4894182966_fud@india.com
-rwxr-xr-x 1 root wheel 180k Mar 12 11:30 _Panzer_Tracts___03-2_Panzerkampfwagen_III_Ausf_E-F-G-H_ENG.pdf.id-4894182966_fud@india.com



#29 Acinony

Acinony

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 12 March 2015 - 05:14 PM

Hi, My name is Wouter (NL)

 

I have also been infected with this weird encrypto virus.

With some help of google I found a way to get rid of the virus but I am still left with all my encrypted files. :-(

 

Do not know how I got infected, but I have a lot of things which I forgot to back up.

 

Is there a decrypting program which I can feed al my files both Original and encrypted which hopefully can learn some codes I can use to decrypt some of my files ?

This is realy frustrating.

 

I hope someone comes up with a solution soon.


Edited by Acinony, 12 March 2015 - 05:15 PM.


#30 MeisterYoda

MeisterYoda

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 13 March 2015 - 12:35 AM

@acinony: perhaps you may describe us how you remouved the infection?

 

Perhaps you have Volume-shadow-copys? At the state I think thas a possible way.

 

BAK-Files are also encrypted, so in many cases you also have a Problem allthough you have had a working backup.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users