F-Secure recently reported on BandarChor, a new player in the field of ransomware. The SenseCy team that analyzed the so-called new malware was intrigued by some of its characteristics. Further analysis revealed that BandarChor is another variant of Ebola Virus, ransomware we reported on in October 2014.
Brief Review of BandarChor (according to F-Secure)
First documented infections – November 2014
Spreading platform/method – Malicious emails or distribution by exploit kits
Capabilities – Upon execution, the ransomware encrypts multiple files on the infected machine. Afterwards the files are renamed to [original_file_name].id-[ID]firstname.lastname@example.org.
The Link Connecting BandarChor with Ebola Virus
BandarChor’s “file name modification” attribute caught our attention, as SenseCy had already encountered ransomware with a very similar modus operandi. In a blog post in October 2014, we reported on Ebola Virus, a new ransomware whose victims were mainly in Russia. Based on our research, we believe that Ebola and BandarChor are variants of the same ransomware, although with slight differences. This is because both use the same file name modification after encryption. BandarChor renames files to [filename].id-[ID]email@example.com, while one of the previously discovered Ebola variants changes file names to firstname.lastname@example.org, indicating that the attackers were using the same domain.
BandarChor / Ebola Ransomware Evolution as Observed by SenseCy
SenseCy first encountered Ebola malware in a discussion on VKontakte, a very popular Russian social network. One of the participants uploaded a sample of the virus that had infected his computer. The sample that we examined was received by the victim in an email that contained a malicious link. Clicking the link initiated downloading of an RAR archive, and unzipping the archive encrypted all files stored on the PC that had the extensions .pdf, .doc, .docx, .xls, .xlsx, .jpg, or .dwg. After that, the filenames were changed to *email@example.com. According to an infected user, to recover the files on the PC, he had to send an email to help[at]antivirusebola.com, and he was subsequently instructed to pay one bitcoin to a certain address.
We conducted a further investigation on the Russian-speaking web that revealed many other reports of Ebola virus infections. In most of the cases, the malicious link was sent through an email, allegedly from the tax authorities or traffic police.
The ransomware was reported on several security firm forums (such as Kaspersky, Symantec, and Dr.Web), and later in November, was included in TrendMicro’s threat encyclopedia under TROJ_CRYPAURA.A (with a decryption solution).
According to Russian security firm Dr.Web, the the Ebola virus first appeared on August 20, though a slightly different version has been distributed since August 7 that changes the file names to firstname.lastname@example.org or email@example.com. All three versions are probably variants of the same malware, identified by Dr.Web as Trojan.Encoder.741, and were coded by a Russian nicknamed Korrektor (presumably the author of other ransomware as well). The malware is written in Delphi language, packed with an Armadillo packer, and encrypted with the AES-128 algorithm.
Additional Variants of this Ransomware
After performing additional research, we discovered more formats of this ransomware. In most cases, it is disguised in an email allegedly from the tax authorities, courts, or the like. Here is a list of email addresses identified as being connected to this ransomware (according to a Russian cyber security blog):
In conclusion, this case study demonstrates the importance of near-real-time cyber intelligence. By identifying future threats and notifying our customers in advance, we can help them to protect themselves before the threat can be detected by traditional security systems.