Threat description


Category: Malware
Type: Trojan
Platform: W32
Aliases: BandarChor, Trojan:W32/BandarChor.A, Trojan:W32/BandarChor.B


Trojan:W32/BandarChor is ransomware that steals control of the user's machine or data, then demands a payment from the user to restore normal access to the ransomed content or system.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

Further action

If the ransomware uses encryption to take files or an entire system hostage, the encryption may be sufficient to make it very difficult to decrypt the files without the necessary decryption key.

In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.

Technical Details

The BandarChor ransomware is reportedly distributed via email and exploit kits. On execution, the malware drops a copy of itself and the ransom notification image (below) into the Startup directory.

Screenshot of BandarChor ransom message

It then attempts to encrypt various file types (DOC, XLS, JPG and so on) and rename them using the formula [filename].id-[ID] The affected machine's computer name and ID are then reported to a remote location.

For more information, please see:


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More