Banjo Ransomware

What is Banjo Ransomware?

Banjo Ransomware could have been executed without your knowledge. However, you could have executed it yourself too. Cybercriminals behind ransomware are often using spam emails and inconspicuous downloaders to introduce Windows users to the malicious launchers. Of course, that is done covertly, and to trick targets into clicking on file attachments or running a bundled installer, they usually offer something impossible to ignore. So, for example, the misleading spam email could suggest that the attached document contains a discount code, and the downloader might suggest that it contains a free installer of an otherwise expensive piece of software. Whatever tricks have been used to launch this malware on your operating system, your personal files must have been encrypted. So, how do you decrypt them? Unfortunately, that might be impossible to do. Even if that is the case, you still need to remove Banjo Ransomware.

How does Banjo Ransomware work?

It appears that Banjo Ransomware is part of the well-known Phobos Ransomware family, to which Chinz Ransomware, Calix Ransomware, Devil Ransomware, and other threats belong as well. It looks like the malware code can be sold to anyone, and so it is likely that different attackers could be behind the different variants of the Phobos malware. Of course, just like all other clones, Banjo Ransomware uses a unique encryption key to corrupt your personal files. This is why this malware is not yet decryptable. It also attaches a unique extension to the files’ names (“.id[{number}].[mutud@airmail.cc].banjo”) to ensure that you spot the corrupted files right away. The attackers want you to understand the damage quickly so that their ransom notes would make sense. One of them is called “info.txt,” and if you open it, you can find a message instructing you to email mutud@airmail.cc or krasume@tutanota.com or to contact the attackers via Telegram @krasume. The second ransom note is represented via the file named “Info.hta.”

The .hta file is responsible for launching a window as soon as Banjo Ransomware is done encrypting your personal files. The message displayed via this window also lists the same contact details that you are supposed to use to communicate with the attackers. And why should you do that? According to the message, you need a “tool that will decrypt all your files,” and to get this tool, you need to pay a ransom in Bitcoin. The payment method and the sum of the ransom are not revealed, and so some victims are likely to be tricked into contacting the attackers. Hopefully, you have not done that yet; otherwise, you might have doomed yourself to an unstoppable attack via your inbox. Even if you block the attackers’ email addresses, they will build new ones. Most importantly, you will not get your files back by paying the ransom anyway, and so there is no point in exposing yourself like that. Note that although you might be unable to decrypt files, after you delete Banjo Ransomware, you might be able to replace them still.

How to remove Banjo Ransomware

Does the manual Banjo Ransomware removal guide below seem intimidating? There is no doubt that deleting any kind of malware is a complicated task, but when it comes to ransomware, things get even trickier. If you are unable to identify and erase all malicious files, there is no point in wasting your time. The Anti-Spyware-101.com research team recommends installing anti-malware software instead. It will simultaneously secure your system – which is extremely important, of course – and it will also automatically delete all malware components. Afterward, you might be able to replace the corrupted files with backups copies. Do you have such copies stored online, on other devices, or on external drives? Hopefully, you do. If you do not, make sure you secure your files in this manner in the future. Needless to say, even if your system is fully protected, and you have copies of all files placed somewhere safe, you still need to practice safe browsing. Do not forget that.

Removal Instructions

1. Right-click and Delete the ransom note file named info.txt (location unknown).
2. Simultaneously tap Windows+E keys to access the File Explorer.
3. Enter the following lines into the quick access field one by one and right-click and Delete a malicious {unknown name}.exe file and also the ransom note file named Info.hta:
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %HOMEDRIVE%
   • %LOCALAPPDATA%
   • %USERPROFILE%\Desktop\
4. Exit File Explorer and then simultaneously tap Windows+R keys to access Run.
5. Enter regedit into the dialog box and click OK to launch the Registry Editor.
6. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
7. Right-click and Delete the {random name} value that is linked to the ransomware file.
8. Go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
9. Right-click and Delete the {random name} value that is linked to the ransomware file.
10. Exit Registry Editor and quickly Empty Recycle Bin.
11. Install a malware scanner and run a full system scan to look for leftovers. Download Removal Tool100% FREE spyware scan and
    tested removal of Banjo Ransomware*