Banhu Ransomware

The Banhu Ransomware is a file-locking Trojan that's a member of Phobos Ransomware's family. The Banhu Ransomware attacks will block most media files on Windows computers to extort ransoms from any victims for the recovery service. Users can remove the Banhu Ransomware most efficiently by scanning their PCs with dedicated security software before recovering any files from previous backups.

A Program Blocking Data with Each Pluck of a String

The Phobos Ransomware, sometimes forgotten next to more-numerous families of file-locker Trojans, still is an active part of 2020's threat landscape for extorting money through encryption attacks. Like the most recent the Banhu Ransomware, this family's members are easily-mistaken as variants of the more-recognizable Globe Ransomware or Globe Imposter Ransomware groups. Visual similarities aside, this fear-themed Trojan family's variants can be threatening equally and keep Windows users' files under permanent lock-and-key.

The Banhu Ransomware may take its name from a Chinese stringed instrument. However, most family members don't use such a regionally-specific theme (for comparison, see also: the 1500dollars Ransomware, the Eight Ransomware, the EKING Ransomware, or the Adage Ransomware). The Trojan targets Windows environments and blocks files of widely-used formats like documents or images from opening by encrypting them securely.

Malware researchers also continue to indicate the appearance of these supplemental attacks in the Banhu Ransomware infections:

• Deleting Shadow Copies (Restore Points)
• Disabling the Windows Firewall
• Suppressing boot-up warning messages
• Disabling Windows Automatic Repair

It accomplishes most of the above through shell commands, keeping with the living-off-the-land minimalism that's popular among modern file-locker Trojans.

Silencing the Sounds of Criminal Intent against Files

The Banhu Ransomware offers a very-standard ransoming procedure for restoring the victim's files through HTA and TXT ransom notes and related credentials that it inserts into files' as additional extensions. Users should remain cautious while interacting with threat actors, even for 'free' samples, which may be tactics for further attacks against their PCs. Paying for decryption should be the last resort, and most users should have appropriate backups on other devices for free recovery.

Infection vectors for this family can differ between threat actors. Admins should always use strong passwords that resist the usual brute-force attacks of black hat tools and maintain careful version control on software to remove vulnerabilities like remote code executions. More personally, users should avoid downloading e-mail attachments without verifying their safety and limit the use of risky features like macros, Flash and JavaScript. Illicit file-sharing behavior also correlates strongly with exposure to these threats.

While its encryption is unbreakable by third-parties, most anti-malware products can block and delete the Banhu Ransomware and other versions of the Phobos Ransomware group.

There's never a totally-safe time to take one's eye off of even the smallest of file-locker Trojans' families. As Phobos Ransomware offspring like the Banhu Ransomware keep in the business, everyone on Windows without backups has reasons for being afraid.