News Stay informed about the latest enterprise technology news and product updates.

BandarChor: New ransomware based on old malware family emerges

Antivirus vendor F-Secure discovered BandarChor, a type of ransomware based on an existing malware family.

A new brand of ransomware, based on a familiar malware family that plagued Russia last year, is now gathering steam...

in the U.S.

Finnish antivirus vendor F-Secure Corp. first discovered the ransomware, dubbed BandarChor, earlier this month, and reported that similar infections had been circulating in November of last year. Israeli security firm SenseCy identified BandarChor as an advanced variant of the 'Ebola Virus' ransomware -- a cyberpun on the lethal disease that devastated Africa last year -- which afflicted Russian Facebook analog VKontakte.

"Both are written in Delphi, but BandarChor appears to be compressed, making it significantly smaller in size compared to Ebola," F-Secure Analyst Sean Sullivan said. "BandarChor supports more extensions … about 100, while Ebola has about 40."

Like other types of ransomware, BandarChor is spread by malicious emails and exploit kits and encrypts users' files, according to F-Secure. "The variant that we encountered used an exploit kit perhaps to spread faster," Sullivan said. "We believe it is being spread by the Nuclear exploit kit."

SenseCy researchers suggested that BandarChor and Ebola stem from a common ransomware ancestor first discovered in 2009. Identified as Trojan.Encoder.741 by Russian security firm Dr. Web, the virus was tracked to a Russian hacker nicknamed "Korrektor." SenseCy was unable to link or rule out Korrektor as the perpetrator responsible for the BandarChor attacks.

"The used domain name may change from one variant to another -- which also affects the ransom contact details," Gad Rosenthal, director of cyber intelligence services at SenseCy, said. "Do note that the same domain name [e.g., india.com] may be used by different variants."

The india.com was a common domain in the Ebola and BandarChor attacks, despite the fact that the attacks were first reported in Russian-based platforms and spread westward to the U.S., according to SenseCy. Rosenthal noted that this may have been a ploy to mislead potential security researchers.

Next Steps

Learn more about how CryptoWall 3.0 ransomware has adopted I2P

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has your organization's security department done to mitigate or prepare for ransomware threats?
Cancel
  1. Verify everything before downloading it. A little research goes a long ways, and this is just good sense.
  2. Backup all important content. We believe in redundancy, so we have multiple backups in separate locations, and they're regularly kept up to date.
  3. Sandbox internet access - ransomware isn't much of a threat if the sandbox containing it can be deleted at any time. Denying ransomware access in the first place is actually easier than fixing it later.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close