The BandarChor ransomware is reportedly distributed via email and exploit kits. On execution, the malware drops a copy of itself and the ransom notification image (below) into the Startup directory.
Screenshot of BandarChor ransom message
It then attempts to encrypt various file types (DOC, XLS, JPG and so on) and rename them using the formula [filename].id-[ID]email@example.com. The affected machine's computer name and ID are then reported to a remote location.
For more information, please see: