Banta Ransomware - How to remove

Banta is recognized by “.banta” extension appended to the names of files locked by this malware. The virus is one that employs cryptographic algorithms to go through your data and edit each file by scrambling the data. It’s very similar to Adame, Help, and other members of the Phobos family and is a part of the active and even growing threat of ransomware.

Banta is dangerous to individual PC users, however, it’s mostly targeted at small businesses and demands appropriately high sums of money. The virus is even manually installed on attractive targets after hacking poorly-protected Remote Desktop connections — at which point almost no anti-malware protection works. And with how harmful ransomware is, such lack of protection could be devastating.

Can you restore the files?

There are some ransomware infections which are wipers — they fill the data with zeroes or other meaningless data and pretend that the data was encrypted, hoping that the victims will trust the developers of the malware and pay the ransom after all. Banta is more sophisticated — it’s a variant of Phobos — but it may as well be a wiper. Phobos has not been decrypted yet, which means that Banta is not decryptable, either.

In principle, cryptography secures data by obfuscating it — hiding the meaning even when the content is exposed. That’s why your files are still on your disk and you can even open them in a hex editor and see the Phobos markers. You can even see parts in large files that aren’t encrypted. But the files are still nonfunctional.

What gives cryptographic algorithms their security is the complexity of the decryption keys. It would be nice of the encryption for Banta could be cracked somehow. After all, some other cryptoviruses have been fully or partially cracked, such as GandCrab or Dharma (some versions). But if the encryption is done properly, cracking each case needs to be done individually and isn’t practically possible.

It is true that, with a decryption key, you could restore your data. But the key is only known to the criminals and to get a working decryption tool you’d probably have to pay a few thousands of dollars in Bitcoin. And the victims constantly complain that the extortionists are very slow to reply, or that the email account gets deactivated, which makes getting the decrypter difficult.

There do exist scammer distributors who are even worse than normal cryptoextortionists — some people distribute cryptoviruses with no intention of decrypting the files, they just collect the ransom payments, so it’s also important to make sure that your virus doesn’t ask you to contact a known scammer. Not to imply that Banta’s developers aren’t scammers, after all, they are committing a crime by holding your files for ransom.

How to remove Banta ransomware

Usually, modern ransomware removes itself after it has done its job, but Phobos stays around and keeps encrypting any new files that you create. Trying to use your computer while it’s still infected with Banta is going to be frustrating. So, getting rid of the infection is crucial. You can use a professional antivirus tool, like Spyhunter, to find Banta and remove it.

Automatic Malware removal tools

How to avoid ransomware

Going forward, you should secure your computers against the most common types of attacks that distributors of Banta and other ransomware employ:

• Remote Desktop hacks — use strong passwords, don’t allow just anyone to attempt to connect.
• Spam email — be aware of macro viruses, don’t trust unexpected urgent emails.
• Malicious ads — install security updates as they come out.
• Infected files — download programs only from official sources.

RDP is used by targeted attacks by the criminals when they specifically log on the victim’s computer and inject Banta. They try to guess the login credentials thousands of times until they succeed. After they do, they install software that stops the antivirus programs that are protecting the computer. Almost no anti-malware can protect you from Banta and other threats if your RDP is not properly protected, except or backups.

Banta can arrive on emails, which are not necessarily targeted. In this case, the victim only needs to open the attached file and, in some cases, enable the macros in a document — and the virus starts.

Malicious ads take you to an infected website and scan you for known vulnerabilities, which is why having up-to-date software is a good defense.

Infected files are a big threat to pirates, as well as people just trying to download freeware and accidentally using a spoofed website.

Careful, secure browsing could help avoid Banta and other malware, but it won’t always. Good anti-malware solutions will also help. But having complete and secure backups might be the best solution.

How to recover Banta Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Banta Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Banta Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Banta Ransomware. You can check other tools here.  

Step 3. Restore Banta Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Banta Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Banta Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.