Discovered by Jakub Kroustek, BandarChor is a new variant of the high-risk ransomware called CryptFile2. Once infiltrated, BandarChor encrypts most stored data, making it impossible to use. During the encryption process, BandarChor adds the extension "id-[ID_of_victim]-[].pip" to file names.

For example, "sample.jpg" can be renamed to a file name such as "[].pip". Once the data is encrypted, BandarChor opens a pop-up window containing a ransomware message.

The message informs victims of the current situation: the data is encrypted and can only be restored with a unique decryption key. Unfortunately, this information is accurate. It is currently unknown which cryptography (symmetric or asymmetric) BandarChor uses. In any case, decryption requires a unique key generated individually for each victim.

All keys are stored on a remote server controlled by the cybercriminals (the developers of BandarChor). Each victim must pay a ransom to obtain their keys. The cost is not specified - all information is provided via e-mail. Note, however, that cybercriminals usually ask for between 0 and ,500 in bitcoin, Monero or another crypto-currency.