Banhu Ransomware

Ransomware operators' activity always picks up pace around Christmas when many people are likely to spend more time on their personal computers. While preventing such threats from causing damage is easily achievable by investing in up-to-date anti-malware software, many users continue to be reluctant to secure their computers. They are the group prone to Banhu Ransomware's attacks. This new file-locker has been created by using the source code of the threatening Phobos Ransomware, and, unfortunately, it is not decryptable with free software. The Banhu Ransomware authors claim that they own a working decryption utility, which can only be obtained by agreeing to pay a hefty ransom fee.

The Banhu Ransomware attack is meant to cause damage to important files like documents, media, backups, archives and others. After it locks a file, the Banhu Ransomware will append a new extension to locked files – it uses the pattern '.id[<VICTIM ID>].[gooddecrypt@airmail.cc].banhu.' After the Banhu Ransomware is finished with this task, it spawns a ransom message in a new window called 'encrypted.' It contains a message, which urges the victim to pay a Bitcoin ransom fee and to contact the attackers via the email gooddecrypt@airmail.cc. The criminals also can be contacted via the Telegram handle @gooddecrypt. Last but not least, they offer to decrypt 1-2 files for free so that their victims will have proof that the decryptor works.

Co-operating with cybercriminals is never a good idea, and Banhu Ransomware's authors are not an exception. Even if you agree to fulfill their demands, they may try to tactic you by ignoring your messages or even by asking you to pay more and more money.

If your device has been compromised by the Banhu Ransomware, we suggest that you run an anti-malware scanner immediately. This will stop the file-locker and prevent it from damaging new files. After you do this, you can start restoring files from a backup or to use other data recovery software.