BaN Ransomware Locks Most Files
BaN, a type of ransomware associated with the Xorist family, was detected during the analysis of new file samples. BaN is designed to encrypt files and appends the ".BaN" extension to filenames. Alongside this, it generates a ransom note, consisting of an error message and a file named "HOW TO DECRYPT FILES.txt."
To illustrate the renaming of files encrypted by BaN, examples include "1.jpg" becoming "1.jpg.BaN" and "2.png" changing to "2.png.BaN." The ransom note tells the victim that all their files have been encrypted and demands a payment of 0.03 bitcoins to restore access. The specified Bitcoin address is provided for the ransom payment. Following payment, the victim is instructed to contact the attacker via banuda@tuta.io or banuda@skiff.com with a specific subject line.
The note assures the victim that upon confirmation of the payment, they will receive a decryptor and decryption keys to regain control of their files. It strongly advises against attempting alternative decryption methods, emphasizing that only the keys generated for the victim's server can successfully decrypt the files.
Table of Contents
BaN Ransom Note in Full
The complete text of the BaN ransom note reads as follows:
Hello
All your files have been encrypted
if you want to decrypt them you have to pay me 0.03 bitcoin.Make sure you send the 0.03 bitcoins to this address:
bc1qh9a50kaccf2xjutqhmufgrx2s7ycg8rqajdj6rIf you don't own bitcoin, you can easily buy it from these sites:
www.coinmama.com
www.bitpanda.com
www.localbitcoins.com
www.paxful.comYou can find a larger list here:
hxxps://bitcoin.org/en/exchangesAfter sending the bitcoin, contact me at this email address:
banuda@tuta.io or banuda@skiff.com
with this subject: -
After the payment has been confirmed,
you will get decryptor and decryption keys!You will also receive information on how to defend against another ransomware attack
and the most important thing is your security hole through which we entered.Attention!
Do not try other cheaper decryption options because nobody and nothing can
decrypt your files without the keys generated for your server,
you will lose time, money and your files forever!
How Can Ransomware Like BaN Infect Your System?
Ransomware like BaN can infect your system through various methods, often exploiting vulnerabilities or relying on deceptive tactics. Here are common ways in which ransomware can infiltrate a system:
Phishing Emails: Attackers often use phishing emails to distribute ransomware. These emails may contain malicious attachments or links. Clicking on the link or downloading the attachment can initiate the ransomware download.
Malicious Links: Clicking on compromised or malicious websites can also lead to ransomware infections. Cybercriminals may embed ransomware in seemingly harmless links, downloads, or advertisements on websites.
Malvertising: Malicious advertising, or malvertising, involves injecting malicious code into online ads. Clicking on such ads may trigger the download and installation of ransomware.
Exploiting Software Vulnerabilities: Ransomware creators frequently exploit vulnerabilities in operating systems, software, or applications. Systems that are not promptly updated with the latest security patches are more susceptible to these attacks.
Drive-by Downloads: Some ransomware can be delivered through drive-by downloads, where malware is automatically downloaded to a user's device without their knowledge or consent, often when visiting compromised websites.
Infected Software Installers: Downloading software or updates from untrustworthy sources can introduce ransomware to your system. Attackers may disguise malware as legitimate software to trick users into installing it.
Remote Desktop Protocol (RDP) Attacks: If Remote Desktop is improperly configured and exposed to the internet, attackers may use brute force attacks or exploit weak passwords to gain unauthorized access and deploy ransomware.