Tanos Ransomware - How to remove

Tanos has been classified as GlobeImposter 2.0. This virus is a file-locker that encrypts the data on the infected system, preventing the victim from accessing their own files.

Tanos is very similar to other GlobeImposter 2.0 variants, like Healforyou and IGAMI, though it’s not exactly known if the distributors are the same people. Either way, they’re is undoubtedly malicious because they try to rob people of money by withholding the fix for the corrupted files until they’re paid.

The best way to fix the situation is to restore the files from a backup, though the computer needs to have the malware removed before that. The instructions are at the bottom, as well as alternative options for restoring data.

What Tanos looks like

Tanos is named so because it gives the encrypted files a suffix “.tanos”. This looks like a file type, so Windows might hide it on the systems that are configured to hide file extensions. Either way, the extension doesn’t matter as much as the inside of the Tanos files — being encrypted, they can’t be used. The only way to reverse the encryption is if you know the algorithm that is used and have the decryption key, otherwise, the files may as well be gone.

GlobeImposter seems to sometimes use notes that are copied from other ransomware. In the folders that have had files encrypted, Tanos places how_to_back_files.html, read_for_restore_file.html, or similarly named ransom notes. In them, the criminals ask to be contacted on [email protected], [email protected], or other addresses (these change in different variants).

The criminals behind Tanos shouldn’t be trusted, like all crypto extortionists. There are a few reasons why the ransom shouldn’t be paid:

  • Most GlobeImposter ransoms are very expensive, so most people can’t afford them anyway. Not to mention that some extortionists take the money and then demand more.
  • Based on statistics, files often do not get restored even after paying.
  • Paying finances future crypto extortion activities.
  • There is no guarantee that the infection won’t be repeated — in fact, some criminals mark those who pay and target them again.
  • It won’t help other victims. The decrypter is likely already known, but it’s useless without the decryption keys, and since those are unique to each infection, they’re useless to all the other Tanos victims.

.tanos virus, ransom note

How Tanos spreads

One way to get infected with Tanos is by way of malicious websites infecting your computer and downloading the virus automatically. This can happen as you click on a bad advertisement online or on a link that a random person sent to you on social media. Tanos can be downloaded and install itself on your system stealthily, using obfuscation to avoid being detected.

Spam emails have been observed spreading Tanos’ predecessors. The ransomware would be attached as a file, for example, an archive.

Tanos can also infect after the installation of some unrelated software — it could have been lurking in the installer, downloaded together and installed in the background. Pirated files are especially vulnerable, but legal freeware bundles could also be used.

The takeaway is that, to avoid Tanos and other ransomware, browsing habits and frequented websites are possibly even more important than whatever antivirus-protection you use. At the same time, malicious ads can infect legitimate websites and anyone can accidentally download a hacked version of a legitimate program, so having up-to-date software and real-time protection could absolutely save you from losing all of your data to Tanos.

Remove Tanos and restore the files

Restoring the files from a backup is the single best way to get the data back, but that’s only possible if you were prepared before the infection. Even if you weren’t, it’s not too late to start, so set up a backup system that’s convenient to you and resilient against infections.

Unfortunately, there is no way to decrypt the files locked by Tanos. If you wish to wait for a free decryption option, such as leaked master keys or a vulnerability found by cybersecurity experts, then feel free to keep the encrypted files because they are not dangerous.

Tanos is dangerous, though, and there might be some other malicious files hidden on the system, so scan your computer for malware using Spyhunter or some other professional anti-malware tool. Make sure that the computer is clean before you use it for anything, check for corrupted files and settings.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,



How to recover Tanos Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Tanos Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Tanos Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Tanos Ransomware. You can check other tools here.  

Step 3. Restore Tanos Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Tanos Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Tanos Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Leave a Reply

Your email address will not be published. Required fields are marked *