Malicious ads displayed on several adult websites and a store selling quadrocopters (drones) are infecting visitors with a new version of the BandarChor ransomware.

Spotted by Proofpoint security researcher Kafeine, the new BandarChor version was confirmed by Bleeping Computer's Lawrence Abrams, and security researcher Malwareforme, who contributed to this report.

BandarChor still going strong after two years

Some of you might recognize BandarChor's name, as it was one of the ransomware variants, together with CTB-Locker, CryptoWall, TorrentLocker, or TeslaCrypt, that are part of the first surge of crypto-lockers that made its presence felt in 2015, and started the unending wave of ransomware we see today.

The first BandarChor ransomware infections were spotted in November 2014, and the first report into the ransomware's activities came from Finnish security firm F-Secure, in March 2015.

By the next year, the number of BandarChor infections went down, but the ransomware didn't die out, being spotted in March 2016 by ReaQta researchers.

New version, but same modus operandi

In spite of the fact it survived on the market more than two years, BandarChor has barely changed its initial mode of operation, still asking infected users to send an email to the ransomware's author(s).

The crook's email address has changed, but that was to be expected. This email address can be found in the ransom note (pictured below) created in all the folders where the ransomware has encrypted files. The name of this ransom note text file is HOW TO DECRYPT.txt and lists help@decryptservice.info, Shigorin.Vitolid@gmail, and a @DecryptService Telegram address that can be used by victims to contact the devs and get payment instructions.

BandarChor ransom note
BandarChor ransom note

The help@decryptservice.info email is also used in the file extension BandarChor adds to encrypted files.

As spotted by both F-Secure in 2015, and again by ReaQta in 2016, the crook(s) behind BandarChor hasn't updated the pattern used for this file extension

[original_file_name].id-[ID]_[EMAIL_ADDRESS]

For this campaign, when BandarChor encrypts files, it will take a file named test.jpg and rename it as test.jpg.id-1235240425_help@decryptservice.info.

Files locked by BandarChor
Files locked by BandarChor

Like in previous variants, BandarChor relies on a working Internet connection to talk to an online C&C server. This BandarChor variant communicates with the following remote servers:

#Remote servers
checkip.dyn.com/ - IP check
checkip.amazonaws.com/ - IP check
tomtom.eu.pn/123/index.php - C&C server communications

Malwareforme stated that this variant of BandarChor continues to use the same url structure as previous versions when communicating with the Command & Control servers as shown below.

#Previous BandarChor Outgoing HTTP requests
POST /777/index.php HTTP/1.1
POST /123/index.php HTTP/1.1
POST /555/index.php HTTP/1.1
POST /345/index.php HTTP/1.1

As it appears, this BandarChor variant is yet another minor update to an continuing threat that has managed to survive all these years. This is most likely due to the small number of infections it made, which allowed it to avoid drawing attention from law enforcement agencies.