Bandarchor is a ransomware identified for the first time at the end of 2014 that seemed almost to disappear halfway through 2015. With some surprise we’ve found it to still be alive, well and with a very low detection rate: in fact lately we have been receiving help requests from companies infected by a ransomware that didn’t appear to belong to the known triad: CryptoLocker, CryptoWall or TeslaCrypt and we decided to investigate what appears to be a new campaign using a new variant.
Size: 382.464 bytes
The sample we are going to analyse had a detection rate of just 4/55 on the 3rd of March 2016:
All the samples retrieved from this campaign share the same information as shown below:
Bandarchor is spread through email attachments or Exploit Kits hosted on compromised websites. The initial stage is a dropper protected with a custom crypter. When the decryption stage is completed the code is injected in an in-memory copy of itself, after resuming the main thread the payload is started and the ransomware encryption process begins. The initial running process is a UPX packed executable that leads us, after the unpacking, to a Delphi executable.
After running the ransomware, it checks for a hardcoded mutant (91ce0127-5e15-4b9a-aa4d-5dab8efc4916) to check if the system has already been infected, if it isn’t then we observe an HTTP POST request to a C2 server (intelligence1938[.]com for this sample) used to retrieve the encryption keys from the server:
The analysis of traffic patterns and sample’s behaviour are coherent with previously identified Bandarchor samples, of which this campaign appears to be using a new variant. The request format adopted is the same as it was previously recorded with old samples:
where the [EXTENSION_OF_ENCRYPTED_FILE] matches the following criteria:
After the encryption process is completed on a certain file, that resource is renamed:
When the overall encryption process is completed, the ransom payment information is provided to the user through the standard picture.
The encryption algorithm and key length are not changed from previous versions (AES 256-bit). Although the code analysis shows a small difference from previous variants: the amount of bytes encrypted per file is 16000 as opposed to older samples where the ransomware was encrypting the first 30000 bytes of each file.
25 new target file extensions have been added in this new variant:
.001 .ace .bup .bvd .cng .cryptra .dco .enx .fdp .jac .jbc .kbb .nba .pkey .rzx .safe .sde .sgz .sle .sme .vhd .wallet .wbb .wbcat .win
in addition to the old ones:
.113 .1cd .3gp .73b .a3d .abf .abk .accdb .arj .as4 .asm .asvx .ate .avi .bac .bak .bck .bkf .cdr .cer .cpt .csv .db3 .dbf .doc .docx .dwg .erf .fbf .fbk .fbw .fbx .fdb .gbk .gho .gzip .iv2i .jpeg .jpg .key .keystore .ldf .m2v .m3d .max .mdb .mkv .mov .mpeg .nbd .nrw .nx1 .odb .odc .odp .ods .odt .old .orf .p12 .pdf .pef .ppsx .ppt .pptm .pptx .pst .ptx .pwm .pz3 .qic .r3d .rar .raw .rtf .rwl .rx2 .sbs .sldasm .sldprt .sn1 .sna .spf .sr2 .srf .srw .tbl .tib .tis .txt .wab .wps .x3f .xls .xlsb .xlsk .xlsm .xlsx .zip
So the authors added to the list of targeted resources wallet files and several secure containers created by various encryption utilities: Cryptra, CryptoNG, PowerKey etc. The ransomware scans all folders except:
- Program Files
- Program Files (x86)
- System Volume Information
The usual advices apply to stay clear of ransomware:
- Disable flash or at least enable it on demand
- Keep your browser up to date
- Don’t click on executable files received by email, simply don’t!
- Don’t click on .js files, unless you’re a frontend developer of course
Customers using ReaQta-core are natively protected from this ransomware, the AI detects correctly the infection stage, blocking Bandarchor before any malicious action can be performed:
An additional protection is represented by the data protection layer that will keep data safe in any case:
This is a list of all the different email addresses and related C2s server as retrieved during the campaign’s tracking.
The list of MD5 hashes retrieved during the campaign monitoring:
Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!