A new brand of ransomware, based on a familiar malware family that plagued Russia last year, is now gathering steam...
in the U.S.
Finnish antivirus vendor F-Secure Corp. first discovered the ransomware, dubbed BandarChor, earlier this month, and reported that similar infections had been circulating in November of last year. Israeli security firm SenseCy identified BandarChor as an advanced variant of the 'Ebola Virus' ransomware -- a cyberpun on the lethal disease that devastated Africa last year -- which afflicted Russian Facebook analog VKontakte.
"Both are written in Delphi, but BandarChor appears to be compressed, making it significantly smaller in size compared to Ebola," F-Secure Analyst Sean Sullivan said. "BandarChor supports more extensions … about 100, while Ebola has about 40."
Like other types of ransomware, BandarChor is spread by malicious emails and exploit kits and encrypts users' files, according to F-Secure. "The variant that we encountered used an exploit kit perhaps to spread faster," Sullivan said. "We believe it is being spread by the Nuclear exploit kit."
SenseCy researchers suggested that BandarChor and Ebola stem from a common ransomware ancestor first discovered in 2009. Identified as Trojan.Encoder.741 by Russian security firm Dr. Web, the virus was tracked to a Russian hacker nicknamed "Korrektor." SenseCy was unable to link or rule out Korrektor as the perpetrator responsible for the BandarChor attacks.
"The used domain name may change from one variant to another -- which also affects the ransom contact details," Gad Rosenthal, director of cyber intelligence services at SenseCy, said. "Do note that the same domain name [e.g., india.com] may be used by different variants."
The india.com was a common domain in the Ebola and BandarChor attacks, despite the fact that the attacks were first reported in Russian-based platforms and spread westward to the U.S., according to SenseCy. Rosenthal noted that this may have been a ploy to mislead potential security researchers.
Learn more about how CryptoWall 3.0 ransomware has adopted I2P