TBHRanso Ransomware

The TBHRanso Ransomware is an encryption ransomware Trojan that cybercrooks use to make the victims' files inaccessible. PC security researchers first observed the TBHRanso Ransomware on November 22, 2017. Threats like the TBHRanso Ransomware are typically delivered to victims through the use of spam email messages (although there are a variety of other ways in which these threats can be delivered to the victims). Victims of this attack will receive an email message that contains a file attachment or embedded link initially. The messages are often written to resemble legitimate messages from known companies such as Facebook, PayPal or Amazon. The victim will be prompted to open the attached file, which may take the form of a Microsoft Word document or PDF file. This file will use a corrupted macro script to download and install threats like the TBHRanso Ransomware onto the victim's computer.

The TBHRanso Ransomware will Prevent Access to Your Files

It does not seem that the TBHRanso Ransomware is the work of a sophisticated hacker. The TBHRanso Ransomware is a variant of HiddenTear, an open source ransomware engine that is available on the Dark Web freely. Unfortunately, HiddenTear variants carry out an effective ransomware attack, encrypting the victim's files and then demanding a ransom payment. The TBHRanso Ransomware, in its attack, will target the user-generated files, which can include music, videos, and numerous document types. The TBHRanso Ransomware will mark the files encrypted by the attack by changing their file extension to '.locked,' which is added to the end of each affected file's name. Once the TBHRanso Ransomware finishes encrypting a file, it will no longer be readable and will appear as a blank icon on the Windows Explorer. Some of the file types that are targeted in attacks like the TBHRanso Ransomware include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

Dealing with a TBHRanso Ransomware Infection

After the TBHRanso Ransomware encrypts the victim's files, it delivers a ransom note, which demands payment from the victim. This ransom note is contained in a text file named 'READ_IT.txt' that is dropped on the infected computer's desktop. The TBHRanso Ransomware ransom note is opened by the victim's default text editor (usually a Microsoft's Notepad application), and contains the following text:

'This computer has been hacked
Your personal files have been encrypted. Send me 100$ BTC to (1MMphN2Rc5xCf4TGTVXQ6B8VSbYdQyCgYS) to get decryption passcode. After that, SEND ME YOUR (PC NAME) TO TBHRanso@protonmail.com, you'll be able to see your beloved files again.
With love… TBHRanso Virus :')'

It is clear from the ransom note and its delivery method, that the people responsible for the TBHRanso Ransomware are not particularly sophisticated. This makes it unlikely that the cybercrooks are equipped to help computer users restore their files after the victim pays the ransom or contacts them via email. Establishing contact with these people is highly unsafe. Instead, take preemptive steps to make sure that your data is safe. The best way to deal with these attacks is to restore the files from a backup copy contained on the cloud or an external device.

SpyHunter Detects & Remove TBHRanso Ransomware