FacebookTwitterLinkedIn

BaN (.BaN) ransomware virus - removal and decryption options

Also Known As: BaN virus
Type: Ransomware
Damage level: Severe

Tomas Meskauskas Written by on

What kind of malware is BaN?

BaN is ransomware belonging to the Xorist family. This variant has been identified during the examination of samples uploaded to VirusTotal. BaN is created to encrypt files. Additionally, BaN appends the ".BaN" extension to filenames, displays, and creates a ransom note (an error message and the "HOW TO DECRYPT FILES.txt" file).

An example of how files encrypted by BaN are renamed: "1.jpg" is changed to "1.jpg.BaN", "2.png" to "2.png.BaN", etc.

Screenshot of files encrypted by this ransomware:

Files encrypted by BaN ransomware (.BaN extension)

BaN ransom note overview

The note begins with a statement that all of the victim's files have been encrypted. The primary demand is for the victim to pay 0.03 bitcoins to regain access to their files. The provided Bitcoin address is where the ransom must be sent. After making the payment, the victim is instructed to contact the attacker via banuda@tuta.io or banuda@skiff.com using a specific subject line.

The note promises that once the payment is confirmed, the victim will receive a decryptor and decryption keys to regain access to their files. The note warns against attempting other decryption options, emphasizing that only the keys generated for the victim's server can decrypt the files.

More details about ransomware

It is important to note that paying the ransom does not guarantee the return of the files. Unfortunately, it is rarely possible to decrypt files without the interference of cybercriminals. Looking for third-party decryption tools online or recovering files from backups are typically the only free ways to recover files.

Running a system scan using a reputable security tool and removing ransomware is also important. This prevents ransomware from causing more damage (encrypting more files and spreading over a local network).

Ransomware in general

This malicious form of cyber attack encrypts files, rendering them inaccessible until a ransom is paid to the attackers, often in cryptocurrency. Despite the promise of decryption tools upon payment, victims are not guaranteed to regain access to their data.

Prevention measures, such as regular backups, robust cybersecurity practices, and user awareness, are crucial in mitigating the risks associated with ransomware.

More examples of ransomware variants are Mesmerised, PatchWorkApt, and 3000USDAA.

How did ransomware infect my computer?

Computer infections commonly occur when users install applications (or run files) obtained from untrustworthy origins, such as unofficial websites, P2P networks, third-party downloaders, free file hosting platforms, unofficial app stores, and similar sources.

Another avenue through which computers fall prey to infections involves the exploitation of weaknesses in software or operating systems. Failure to update software leaves users susceptible to cybercriminals who exploit well-known vulnerabilities, gaining entry and injecting malicious software.

Furthermore, systems can be infiltrated by malware through the utilization of pirated software, cracking tools, key generators, and interactions with deceitful advertisements.

Threat Summary:
Name BaN virus
Threat Type Ransomware, Crypto Virus, Files locker
Encrypted Files Extension .BaN
Ransom Demanding Message Error message, HOW TO DECRYPT FILES.txt
Free Decryptor Available? No
Ransom Amount 0.03 BTC
BTC Wallet bc1qh9a50kaccf2xjutqhmufgrx2s7ycg8rqajdj6r
Cyber Criminal Contact banuda@tuta.io, banuda@skiff.com
Detection Names Avast (Win32:Filecoder-M [Trj]), Combo Cleaner (Trojan.Ransom.AIG), ESET-NOD32 (Win32/Filecoder.Q), Kaspersky (Trojan-Ransom.Win32.Xorist.lk), Microsoft (Ransom:Win32/Sorikrypt.A), Full List Of Detections (VirusTotal)
Symptoms Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files.
Additional Information BaN is part of the Xorist family
Distribution methods Infected email attachments (macros), torrent websites, malicious ads.
Damage All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner
To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

How to protect yourself from ransomware infections?

Exercise caution when downloading software or files by exclusively using trusted sources such as official websites or reputable app stores. Refrain from clicking on suspicious email links or opening attachments from unknown senders. Regularly updating your software and operating system is equally essential.

Also, utilize reputable antivirus and anti-malware software and conduct regular system scans. Practicing safe browsing habits, such as avoiding pirated software, cracking tools, and suspicious advertisements, further reduces the risk of encountering malware and enhances overall computer security.

If your computer is already infected with BaN, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate this ransomware.

Screenshot of BaN's text file ("HOW TO DECRYPT FILES.txt"):

BaN ransomware text file (HOW TO DECRYPT FILES.txt)

Text in the ransom note (text file and error message):

Hello

All your files have been encrypted
if you want to decrypt them you have to pay me 0.03 bitcoin.

Make sure you send the 0.03 bitcoins to this address:
bc1qh9a50kaccf2xjutqhmufgrx2s7ycg8rqajdj6r

If you don't own bitcoin, you can easily buy it from these sites:
www.coinmama.com
www.bitpanda.com
www.localbitcoins.com
www.paxful.com

You can find a larger list here:
hxxps://bitcoin.org/en/exchanges

After sending the bitcoin, contact me at this email address:
banuda@tuta.io or banuda@skiff.com
with this subject: -
After the payment has been confirmed,
you will get decryptor and decryption keys!

You will also receive information on how to defend against another ransomware attack
and the most important thing is your security hole through which we entered.

Attention!
Do not try other cheaper decryption options because nobody and nothing can
decrypt your files without the keys generated for your server,
you will lose time, money and your files forever!

Screenshot of BaN's error message:

BaN ransomware error pop-up

BaN ransomware removal:

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
 ▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

{loadposition position31

Frequently Asked Questions (FAQ)

How was my computer hacked and how did hackers encrypt my files?

Cybercriminals use various ways to trick users into infecting computers. Typically, users inadvertently infect systems through actions like downloading from untrustworthy sources, such as unofficial websites or P2P networks, clicking on suspicious email links or attachments, neglecting software updates, using pirated software, or clicking malicious advertisements.

How to open ".BaN" files?

Your files have been encrypted due to a ransomware infection, and to regain file access, a decryption process is necessary.

Where should I look for free decryption tools for BaN ransomware?

In case of a ransomware attack you should check the No More Ransom project website (more information above).

I can pay you a lot of money, can you decrypt files for me?

We do not offer this service. Decrypting files encrypted by ransomware is usually only possible with the intervention of developers or operators unless there is a flaw in the ransomware itself. Therefore, a third party claiming to provide paid decryption will likely act as an intermediary or try to deceive you.

Will Combo Cleaner help me remove BaN ransomware?

Combo Cleaner will thoroughly scan your computer and eradicate any active ransomware infections. Employing an antivirus program is an initial measure in ransomware recovery. However, security software is not capable of decrypting the files that have been encrypted.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

How to prevent against infection
New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Top Removal Guides
QR Code
BaN virus QR code
Scan this QR code to have an easy access removal guide of BaN virus on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner

Platform: Windows

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.