BANG File Virus. How to remove [gangflsbang@protonmail.ch].BANG Ransomware?

Written by Brendan Smith

What is BANG Virus?

Also referred to as PHOBOS ransomware, it modifies your documents by means of encrypting them and demanding the ransom to be paid allegedly to restore access to them. id[XXXXXXXX-XXXX].[gangflsbang@protonmail.ch].bang indicates gangflsbang@protonmail.ch as a channel for contacting the ransomware criminals.

The PHOBOS ransomware is active again through its new cryptovirus bearing the name of .bang. This particular virus family modifies all popular file types by means of adding the .bang extension, thus making the data absolutely unavailable. The victims simply cannot open their important documents anymore. The ransomware also assigns its unique identification key, just like all previous representatives of the virus family. As soon the file is encrypted by the ransomware, it obtains a special new extension becoming the secondary one. The file virus also generates a ransom note providing the users want instructions allegedly to restore the data.

Bang Threat Summary

Name .id[XXXXXXXX-XXXX].bang file virus
Extension [gangflsbang@protonmail.ch].bang file virus
Type Ransomware
Detection TrojanSpy:Win32/Rebhip, Trojan-Ransom.Win32.Blocker.ivhl, PWS:Win32/Prast!rfn
Contacts gangflsbang@protonmail.ch
Short Description The virus modifies the documents on the attacked device through encryption and asks for the ransom to be paid by the victim supposedly to restore them.
Symptoms The file virus encrypts the data by adding the .bang extension, also generating the one-of-a-kind identifier. Note that the [gangflsbang@protonmail.ch].bang extension becomes the secondary one.
Distribution Method Spam, Email attachments, Compromised legitimate downloads, Attacks exploiting weak or stolen RDP credentials1.
Fix Tool See If Your System Has Been Affected by .bang file virus
Bang deletes shadow copies of files, disables the recovery and repair functions of Windows, at the boot stage, disables the firewall with commands, launches the mshta.exe application to display ransomware requirements:
vssadmin.exe vssadmin delete shadows /all /quiet
WMIC.exe wmic shadowcopy delete
bcdedit.exe bcdedit /set default recoveryenabled no
bcdedit.exe bcdedit /set default bootstatuspolicy ignoreallfailures
netsh.exe netsh advfirewall set currentprofile state off
netsh.exe netsh firewall set opmode mode=disable
mshta.exe "%USERPROFILE%\Desktop\info.hta"
mshta.exe "%PUBLIC%\desktop\info.hta"
mshta.exe "C:\info.hta"
Bang Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\exec.exe

.bang File Virus – Phobos Ransomware

What Is It and How Did I Get It?

The .bang ransomware is most commonly spread by means of a payload dropper. It runs the malicious script that eventually installs the file virus. The threat circulates actively on the web, considering the facts about the ransomware mentioned in the VirusTotal database. The .bang ransomware may also promote its payload files through popular social networks and via file-sharing platforms. Alternatively, some free applications hosted on many popular resources may also be disguised as helpful tools, whereas they instead may lead to the malicious scripts that injected the ransomware. Your personal caution to prevent the .bang virus attack matters a lot!

According to users’ reports, one of the most popular sources of .bang ransomware are cracked software. The ransomware distributors usually injects .bang virus into the “installer” – a specific extension called to evade the license checking procedure. So, the best solution is to use licensed software.

One more popular source of .bang ransomware are keygens for different popular programs and applications (e.g. Photoshop, AutoCAD, games etc.). Nowadays, most of the keygens are inoperative, but still can be downloaded. And instead of “provided” functions you can get a ransomware.

The .bang ransomware, like other ransomware of all families, can significantly decrease your PC perfomance during it’s activity. Even well-complected PC can be slowed down if that’s a big amount of files is encrypting at the moment. So, that would be a wise decision to perform a full scan if you got a significant performance slump.

You can avoid .bang ransomware launch. It is not able to evade Windows User Account Control (UAC), so, if .bang ransomware try to launch – you will see an overlaying window with a notification about suspicious program is trying to start.

There is also a bug which can help you to get an access to some of your files. The .bang ransomware is not able to encrypt large (>1GB) files correctly, hence you can open them just after deleting it’s .bang extension.

Your music and video may also be avaliable! All files, that were been encrypted by .bang ransomware, has the encrypted part of the first 150 KB. Music and video are usually much bigger then 150 kilobytes. Hence, you can try to open it with different music or video players.

Pay attention to the USB drives you used after the ransomware attack. The .bang ransomware can spoil them in different ways – encrypt the files which are contained inside, drop it’s own notes as a reminder about the encryption, or so. But the most mean action is a ransomware injection. Bang virus injects it’s .exe file into your USB drive, so it becomes a ransomware carrier.

But that’s a chance that you got the .bang ransomware version, which is not able to encrypt another disks, in spite of one where the ransomware is located. Hence, all your files from another disks and the external drives you have connected since the ransomware attack will be usable.

The good solution to avoid payments or a long procedure of decryption is using the backups. But to have really actual backup you need to create them regulary (one backup per month is usually enough). If you don’t have a lot of important data onboard, you can upload your documents to the cloud storages or so.

But be careful if you store you backups on your PC. The .bang ransomware can encrypt the backup, or inject it’s .exe files inside, so it became useless for system restoration. The best places to store your backups are cloud storages and external drives.

Also, beware of OneDrive backup usage. It has a very specific mechanism : the backup creation process starts without any notification, and the new backup will overwrite an older one. Hence, you have a big risk of creating a backup with an encryption files instead of normal and ready-to-use.

Bang ransomware can edit your system files to avoid any interruptions in the encryption process. It adds an additional entry with it’s .exe file to the RunOnce registry key. That allows the ransomware to launch together with your system, hence, you can’t stop it with reboot or shutdown.

The only way to avoid .bang ransomware launch is to launch the Windows safe mode. That mode disables any software automatic launch, exepting the proprietary Windows software. Hence, the ransomware will be disabled, and you will be able to connect a USB-drive with a backup file, or with an anti-malware software, for example.

Another system object which is usually edited by .bang ransomware is hosts file. This file contains DNS-adresses of different sites, and if the site is added to this file, the specified (in the file) DNS-adress will be prior for connection. The ransomware adds to this file a big list of the sites – anti-malware software vendors, anti-malware forums and sites, where the user can find an information about a possible solution for ransomware removal&decryption. In spite of adding to hosts, it also changes their DNS adresses to 127.0.0.1 – the DNS-adress of your PC in the local network. Hence, your PC losts an ability to connect to this sites.

You can see a lot of users who says they can help with .bang ransomware decryption and removal. You can claim such help on your own risk, because nobody can warrant their intensions. They may help you, as well as deceive you, asking you for payment and then blocking, after the payment is done. You can also discover that your credit card data is compromised, and someone is trying to steal your money. Anyway, such help can be dangerous.

According to the several reports, the .bang ransomware can also add the Microsoft update server to hosts. This action is caused by the possibility of setting to default different system files, which are usually changed by ransomware.

.bang ransomware is a infection that encrypts your data and presents a frustrating ransomware notice. Below is the screenshot depicting the ransomware note:

[gangflsbang@protonmail.ch].bang virus demanding message in a pop-up window

[gangflsbang@protonmail.ch].bang virus demanding message in a pop-up window

It says the following:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail gangflsbang@protonmail.ch
Write this ID in the title of your message ********-****
If there is no response from our mail, you can install the Jabber client and write to us in support of 
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Jabber client installation instructions:
Download the jabber (Pidgin) client from https://pidgin.im/download/windows/
After installation, the Pidgin client will prompt you to create a new account.
Click "Add"
In the "Protocol" field, select XMPP
In "Username" - come up with any name
In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im
Create a password
At the bottom, put a tick "Create account"
Click add
If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data:
User password
You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)
If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Do not contact this crooks! They doesn’t want to help you, the only their target is your money. So, they will try all possible methods to force you to pay.

At first, fraudsters may be gentle, offering to decrypt several of your files, “to proof that we really have the decryption tool”. But, nonetheless, no one can force them to give you a decryption key after your payment.

Later, if you didn’t pay them, they will start menace you, promising to delete your files or telling that their encrypting mechanism is undecryptable. They may also start the dialogue with you with such menaces, evading the mentioned “gentle start”.

And, as the final bow, crooks will sell your e-mail address in pack with other e-mails of the same victims who contacted them. This e-mails may be bought by whoever, but usually the buyers are another fraudsters, or advetisering agents, which will spam your e-mail with annoying ads and offers.

You can see that ransomware distributors are offering you to use their decryption tool. But nobody can warrant that this tool will not contain any malware besides of decryption tool. So, it’s better to avoid such software.

Remove [gangflsbang@protonmail.ch].bang File Virus (Phobos)

Reasons why I would recommend GridinSoft2

There is no better way to recognize, remove and prevent ransomware than to use an anti-malware software from GridinSoft3.

Download GridinSoft Anti-Malware.

You can download GridinSoft Anti-Malware by clicking the button below:

Run the setup file.

When setup file has finished downloading, double-click on the setup-antimalware-fix.exe file to install GridinSoft Anti-Malware on your computer.

Run Setup.exe

An User Account Control asking you about to allow GridinSoft Anti-Malware to make changes to your device. So, you should click “Yes” to continue with the installation.

GridinSoft Anti-Malware Setup

Press “Install” button.

GridinSoft Anti-Malware Install

Once installed, Anti-Malware will automatically run.

GridinSoft Anti-Malware Splash-Screen

Wait for the Anti-Malware scan to complete.

GridinSoft Anti-Malware will automatically start scanning your PC for Bang infections and other malicious programs. This process can take a 20-30 minutes, so I suggest you periodically check on the status of the scan process.

GridinSoft Anti-Malware Scanning

Click on “Clean Now”.

When the scan has completed, you will see the list of infections that GridinSoft Anti-Malware has detected. To remove them click on the “Clean Now” button in right corner.

GridinSoft Anti-Malware Scan Result

How to decrypt .bang files?

You can download and use this decrypter that Kaspersky released if you were hit by .[gangflsbang@protonmail.ch].bang extension.

You can download and use this decrypter that Avast released or this decrypter that Kaspersky released if you were hit by .bang extension.

What the next?

If the guide doesn’t help you to remove Bang virus, please download the GridinSoft Anti-Malware that I recommended. Also, you can always ask me in the comments for getting help.

How to remove [gangflsbang@protonmail.ch].BANG Ransomware?

Name: BANG Virus

Description: BANG Virus is a PHOBOS ransomware family. It encrypts your files and demanding the ransom to be paid allegedly to restore access to them. id[XXXXXXXX-XXXX].[gangflsbang@protonmail.ch].bang indicates gangflsbang@protonmail.ch as a channel for contacting the ransomware criminals.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

References

  1. How To Change Remote Desktop (RDP) Port: https://howtofix.guide/change-remote-desktop-port-on-windows-10/
  2. GridinSoft Anti-Malware Review from HowToFix site: https://howtofix.guide/gridinsoft-anti-malware/
  3. More information about GridinSoft products: http://gridinsoft.com/products/

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.