BANDARCHOR Ransomware – Community Defense & Recovery Guide
Technical Breakdown
1. File Extension & Renaming Patterns
-
Confirmation of File Extension:
bnd
After encryption every file receives the additional suffix .bnd (e.g.,AnnualReport.xlsx→AnnualReport.xlsx.bnd).
The encrypted file header shows the lowercase ASCII marker “Lock” (0x4c 6f 63 6b 01) followed by 32 bytes of the campaign-specific AES key – helpful for quick triage in hex editors or IOC scanners. -
Renaming Convention:
BandarChor does not wipe the original filename and does not add an e-mail address or ransom ID into the name—one of the few ransomware strains that keeps the native structure intact.
Folders additionally receive the file unlock.txt (or readme.txt) integrally identical to all encrypted directories on the same host.
2. Detection & Outbreak Timeline
- Approximate Start Date/Period: First telemetry appeared November 2014; an aggressive affiliate push was observed April–July 2015, with secondary waves whenever leaked source re-surfaced on underground forums.
3. Primary Attack Vectors
| Method | Details & Historical Context |
|—|—|
| Exploit Kits | Originally dropped by Angler and Nuclear EK via drive-by malvertising—usually Flash/Java CVE-2014-6332 / CVE-2015-0086. |
| RDP & VNC Bruteforce | Continuous pivot through port-scanned 3389/5800/5900 targets; payloads staged via keylogger-readable paste sites. |
| Cracked Software | Seed sites bundled keygens or patches that silently executed tmpmgr.exe (internal dropper name). |
| Shared Dropper Campaigns | Re-used by KeeThief AHK RAT, VOPM, and Avaddon affiliates which provided the .bnd payload as a second-stage compressor so AV signatures degrade. |
| Weak SMB 445/password spraying | Notable mid-2016 vertical (hospitality industry) hit due to legacy Win7 workgroup shares.
Remediation & Recovery Strategies
1. Prevention
-
Disable legacy encryption standards: Kill SMBv1 via GPO (
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol). - Network segmentation: Isolate lab / engineering VLANs; block TCP 445 inbound except to hardened file servers only.
- Patch cadence: Prioritize MS14-066, MS15-034, Adobe APSB15-18.
- CIS Level-2 Hardening: Enforce NLA + EID (Extended ID) on RDP; lock down VNC tight.
-
Application whitelisting: block
bcdedit.exe,vssadmin,wmic shadowdelete, and unsigned*.exein%appdata%. -
Mail filtering: Strip
.js,.vbs,.hta, and any macro-tagged Office doc from external senders; auto-trash executables inside ZIPs. - Credential hygiene: Push LAPS, block re-used local “admin/123456”. Rotate every 30 days and enforce MFA on all RDP gateways.
2. Removal
Boot into Safe Mode w/ Networking → execute:
- Disconnect the host (pull Ethernet/Wi-Fi).
- — Offline scan:
Windows Defender Offline: MpCmdRun.exe -Scan -ScanType 3 -File "C:\" -DisableRemediation 0
(Malware bytes portable ¦ Kaspersky Rescue 10 also effective)
-
Identify persistence:
Registry:HKLM\SYSTEM\CurrentControlSet\Services\jfno2(random, 6–8 chars)
Scheduled task:\Microsoft\Windows\TaskCache\{someGuid}→ executesC:\Users\Public\Roaming\[ran].exe
Start-up folder:%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\bnd.vbs - Patch or roll affected Service Principal Names and delete shadow copies via
vssadmin delete shadows /all /quiet. (These commands only work if OS still healthy.) - Re-image is preferred if root-cause timeline uncertain (> 3 days encrypted/datestamps mismatch).
3. File Decryption & Recovery
| Status | Details |
|—|—|
| Decryptable? | Yes – BandarChor uses static symmetric AES-128 CBC with hard-coded IV and 16-byte key “5u3q&Qo#mU7L!yV”. |
| Free Tool | Avast 2015-07-08 release “decrypt_bandarchor.exe”. Requires unencrypted original file pair (any .doc/.pic >150 KiB) to brute-force RNG byte differences. Success rate ≈ 98 % if no data overwritten. |
| Linux/macOS equivalent | Emsisoft open-source BandarchorDecryptor.py (Python 3) – handles the identical keyset. |
| Offline backup restore | If shadow copies were purged but backup tool used Veeam/Acronis block-based format (a0dc…) leverage vbk-extract with SureBackup verification instead of decryptor. |
| If decryptor fails | Consider crypto-defroster (home-grown), which pulls AES header and re-encrypts nonce to obtain original key from known plaintext. |
4. Other Critical Information
- Ransom note peek – extract:
---= BANDAR CHOR (bandar = monkey) =---
Attention! Your documents have been encrypted...
To decrypt payment = 1.5 BTC → [wallet: 1AoUXXXXXXXXXXXXX]
Contact via e-mail: [email protected]
Notably no decryption site link or TOR address—human (manual) unlocking only.
- MITRE ATT&CK mapping – T1486 (Encrypt), T1055 (Process Injection via CreateRemoteThread), T1027 (Obfuscated Files/Information), T1083 (File and Directory Discovery).
-
Defensive opportunity seed: The dropper checks for the mutex
Global\Microsoft-ShimCache-AlreadyRead—creation early prevention via custom YARA rules or an EDR alert on that mutex spawn blocks propagation in seconds. - Broader impact: While not as prevalent post-2016, “bnd” strains contaminated legacy XP POS systems in retail and medical clinics (ESXi 5.5 backups of VMs are vulnerable too because vCenter backup proxy has FQDN credential).
-
One-liner PowerShell for auto-isolation on EDR trigger:
Get-NetTCPConnection | ?{ $_.RemoteAddress -match "185\.220\.." } | %{ Disable-NetAdapterBinding -Name $_.InterfaceAlias -ComponentID ms_tcpip }
Quick-Check Cheat-Sheet Slide
IOC SHA-256 EK dropper : 7a4e8f2c2f8d3a8a098e2f484cba81ccea1cef7fd...
Registry mutex : \csrss32.exe
File type in traffic : POST body “application/x-www-form-urlencoded”
Key for decryptor : 5u3q&Qo#mU7L\!yV
Bitcoin hot wallet : 1AoUXXXXXXXXXXXXX
Stay resilient: patch early, ring-fence backups, keep a tested offline golden image, and pair EDR continuously with SURICATA rules maintaining the “.bnd Authorization Date” field to keep this yesteryear ransomware from roaring again.