Bandarchor Ransomware Still Active

Bandarchor ransomware

Bandarchor is a ransomware identified for the first time at the end of 2014 that seemed almost to disappear halfway through 2015. With some surprise we’ve found it to still be alive, well and with a very low detection rate: in fact lately we have been receiving help requests from companies infected by a ransomware that didn’t appear to belong to the known triad: CryptoLocker, CryptoWall or TeslaCrypt and we decided to investigate what appears to be a new campaign using a new variant.

File Information

MD5: 02dd13752abc64e586df130b913cde22
SHA1: f2c668f8c16186f2e16c3fa745a27c64124993fe
SHA256: 6d845f8acf5eacd8cbe23b88a425c88b43400cfd9ca89767bc3972998b8393db
Size: 382.464 bytes

Bandarchor ransomware icon
Bandarchor ransomware unpacked icon

The sample we are going to analyse had a detection rate of just 4/55 on the 3rd of March 2016:

Bandarchor ransomware VT Detections
Bandarchor ransomware VT Detections

All the samples retrieved from this campaign share the same information as shown below:

file_info

 

Ransomware Behaviour

Bandarchor is spread through email attachments or Exploit Kits hosted on compromised websites. The initial stage is a dropper protected with a custom crypter. When the decryption stage is completed the code is injected in an in-memory copy of itself, after resuming the main thread the payload is started and the ransomware encryption process begins. The initial running process is a UPX packed executable that leads us, after the unpacking, to a Delphi executable.

Bandarchor ransomware execution flow
Bandarchor ransomware execution flow

After running the ransomware, it checks for a hardcoded mutant (91ce0127-5e15-4b9a-aa4d-5dab8efc4916) to check if the system has already been infected, if it isn’t then we observe an HTTP POST request to a C2 server (intelligence1938[.]com for this sample) used to retrieve the encryption keys from the server:

number=63&id=9651873236&pc=PC666&[email protected]

The analysis of traffic patterns and sample’s behaviour are coherent with previously identified Bandarchor samples, of which this campaign appears to be using a new variant. The request format adopted is the same as it was previously recorded with old samples:

number=[DECIMAL]&id=[10_RANDOM_DIGIT]&pc=[INFECTED_PC_NAME]&tail=[EXTENSION_OF_ENCRYPTED_FILE]

where the [EXTENSION_OF_ENCRYPTED_FILE] matches the following criteria:

.id-[ID]_[EMAIL_ADDRESS]

After the encryption process is completed on a certain file, that resource is renamed:

enc_files

When the overall encryption process is completed, the ransom payment information is provided to the user through the standard picture.

Encryption algorithm

The encryption algorithm and key length are not changed from previous versions (AES 256-bit). Although the code analysis shows a small difference from previous variants: the amount of bytes encrypted per file is 16000 as opposed to older samples where the ransomware was encrypting the first 30000 bytes of each file.

size_change

 

header_file

Targeted files

25 new target file extensions have been added in this new variant:

.001 .ace .bup .bvd .cng .cryptra .dco .enx .fdp .jac .jbc .kbb .nba .pkey .rzx .safe .sde .sgz .sle .sme .vhd .wallet .wbb .wbcat .win

in addition to the old ones:

.113 .1cd .3gp .73b .a3d .abf .abk .accdb .arj .as4 .asm .asvx .ate .avi .bac .bak .bck .bkf .cdr .cer .cpt .csv .db3 .dbf .doc .docx .dwg .erf .fbf .fbk .fbw .fbx .fdb .gbk .gho .gzip .iv2i .jpeg .jpg .key .keystore .ldf .m2v .m3d .max .mdb .mkv .mov .mpeg .nbd .nrw .nx1 .odb .odc .odp .ods .odt .old .orf .p12 .pdf .pef .ppsx .ppt .pptm .pptx .pst .ptx .pwm .pz3 .qic .r3d .rar .raw .rtf .rwl .rx2 .sbs .sldasm .sldprt .sn1 .sna .spf .sr2 .srf .srw .tbl .tib .tis .txt .wab .wps .x3f .xls .xlsb .xlsk .xlsm .xlsx .zip

So the authors added to the list of targeted resources wallet files and several secure containers created by various encryption utilities: Cryptra, CryptoNG, PowerKey etc. The ransomware scans all folders except:

  • Windows
  • Program Files
  • Program Files (x86)
  • ProgramData
  • System Volume Information
  • Temp

Protection

The usual advices apply to stay clear of ransomware:

  • Disable flash or at least enable it on demand
  • Keep your browser up to date
  • Don’t click on executable files received by email, simply don’t!
  • Don’t click on .js files, unless you’re a frontend developer of course

Customers using ReaQta-core are natively protected from this ransomware, the AI detects correctly the infection stage, blocking Bandarchor before any malicious action can be performed:

Bandachor ransomware infection
ReaQta-Core AI detection

An additional protection is represented by the data protection layer that will keep data safe in any case:

Bandarchor ransomware file access
ReaQta-Core data protection layer in action

C&C Servers

This is a list of all the different email addresses and related C2s server as retrieved during the campaign’s tracking.

Campaign number=63

[email protected]

ernestrodgerramsey[.]com
peterjackperry[.]com
duanerobertwilson2[.]com
corneliusfrench[.]com
astraballmore[.]com
uptwined7779[.]com

[email protected]

intelligence1938[.]net
intelligence1938[.]com
doitforamerica[.]mobi

[email protected]

kresentinvestments[.]org
kresentinvestments[.]info

[email protected]

ramonaaron[.]info
windmillestate[.]info

[email protected]

uptwined666[.]com

 

Campaign number=127

[email protected]

euphrasioclinic[.]net
euphrasioclinic[.]info

[email protected]

preparation333[.]com
appositional456[.]com
proreptilia[.]com
uptwined[.]com
uptwined333[.]com

[email protected]

ardorchemist[.]com

Campaign number=255

[email protected]

bswadeshi[.]in

MD5 hashes

The list of MD5 hashes retrieved during the campaign monitoring:

Campaign number=63

4249c0ecaf411bfcbf2a6e216d6886e0
398e69dd0b7e9e658b127a36d9516fc1
f9c8fe0fd0064775167daaff393d169f
4d1431e55379e4f4049d86be6e6fd3e5
6583d34e293a0c694e679c977c7bfc2e
b961765d19167c8013f43c469ba71cc2
5c2dc1f5262b785bf4bb6525c9974f40
caa633ebdeefde29b1ea225099fe2ea1
02dd13752abc64e586df130b913cde22
69072bd38c0c4bf7ff53f21cba19deaa
bf013331b4b3a0512e96e3d6870fa589
7d00d7f7cd510b1168fff3792e975683
88346fcc8fa00b9c5e7d6cc4a099f66d
e947d4e6a9408a91e19eb64d280085f9
a6c6e66652c3663150c2716824432077
0eb851e9713d579e6ee7ebbbf7932213
35ab49a4386554b25b2ac27d4d0e6c7c
c92449ee32181fe73ef9b3159b8ce23a
f5b0d294617855e4594c7e614723ca06
38d5e5cc2607f048d0b02c2f1770b4ce
47a67cdf430a7a9c0a7cf32d4cd2274c
3b6d06524a46b2906ba802ff2580e7b1
b64377f4b307db6a5404e2a57ee9d300
bebc50ef05af1405cabe8d5019a53edb
b6cc5c28f90798a65c0bd9eba83f88d3
b9e08876e13edacf0eedbe70d45c7a19
4b5f3ef1603546214721c8d715ee2860
e40dce0f7ae6b9c6013d39e0f26d834d
b76bd721e4578150881925313a0e3faf
1f297c383e92c581fed084066b08897f
9e496f3a905f7c88dfb7bd4251e8ad18
eaf8762814a0e270daf54ce7a462ca71
0b23a5ac5925964fe61af983079c874b
d9027e7bacf8a34623c74140d5f0831e
1dd71af77ff0f75415404adee0b82646
6bdce9a40bcf0f69b73af6d12b802caf
230b55affa0aec0444e73471e3c153bf
950aba8d5b047f4c14a1b7acfb181e3b
b55135ff5d771eb96cc7ab221d1f6018
02bdaa65f875a993341301f65b44812a
02a2f291dfc6f0062659cf5ecfb0f7ee
d90cd7eaf7545df9a9bab51135035139
f226a0834359de0d0638ea30af16f91a
ee754319d08e8ca2a41ee4102f4a2aee

Campaign number=127

bea0944bdc5ef630481ef95e4a792d93
6fcfa9e8ea8d6ea24477eea66d548005
34e787dcbd82fe2f53cf5f34c236f606
a1651c28fa87e7b38b5ecd7b70467bb8
48346dcb9f7d4bbcc410ef82d55ed65d
966d45a141c44d26cce344eb1d9044b9
00f450968c7a76dc0ed8cb93851025a1
e78cc3bf3feea5eb0110c90cd2132009
7ed91ed1a462a526a2c859f897a5dad8
7c88e1a6868f1b230bcecc70479c2448
02fb113c5bef9b601bda945d70afcbee
f3d50a588266803c2dc6a8fdf47a8458
12dae5628f874c3fa11ebd7f5f959129
97d7665727836528839af515c8fcc35c

Campaign number=255

dce93a7236f7e60f413079b276bec88d

Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!

ReaQta