Bandarchor targets Windows OS and is distributed via the Neutrino exploit kit and through malicious email attachments. The first stage of a Bandarchor infection is the download of a dropper encrypted with a custom crypter. The second stage is the decryption of the crypter. Bandarchor then injects a copy of itself into the system’s memory and begins encrypting the victim’s files using AES-256. Bandarchor makes HTTP POST request to its C2 server in order to retrieve encryption keys. All files encrypted by Bandarchor display the following file extension format: .id-[ID]_[EMAIL_ADDRESS]. The email address displayed in the filenames is that of the attacker behind the campaign. The ransom payment demand for Bandarchor is currently unknown.

  • ReaQta provides more information about Bandarchor here.
  • The NJCCIC is not currently aware of any decryption tools available for Bandarchor.