BANKS Virus (.BANKS Files) — How to Remove This Phobos Ransomware

BANKS Virus (.BANKS Files) — How to Remove This Phobos Ransomware

.BANKS Virus virus remove

The .BANKS virus is a Phobos ransomware that is currently set against target end users on a global scale. There is no information available about the hacking group behind it. It is believed to be a new iteration of the famous ransomware family. This is one of the reasons why we believe that the hackers are experienced.

Once the .BANKS virus has started it will execute its built-in sequence of dangerous commands. Depending on local conditions or the specific hacker instructions various actions will take place. The file encryption will begin after them — the encrypting component will use a built-in list of target file type extensions. In the end the victim files will be renamed with the .BANKS extension.

Threat Summary

Name.BANKS virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files on your computer machine and demands a ransom to be paid to allegedly restore them.
SymptomsThe ransomware will blackmail the victims to pay them a decryption fee. Sensitive user data may be encrypted by the ransomware code.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .BANKS virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .BANKS virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.BANKS Virus – Distribution and Impact

A new Phobos ransomware release has been spotted, this time its a virus version that places the .BANKS extension on the victim files. The extension is used to identify the different strains of the virus and help the victims identify what threat is affecting them. For each ransomware version there are different distribution tactics and several ones at once can be active. Commonly the hackers will use phishing tactics — e-mail messages and sites that will impersonate legitimate services and popular Internet portals. The messages can use forged headers and stolen content, as well as personalized or non-personalized greetings in the introductory part in order to manipulate the recipients into thinking that a legitimate party has reached out to them. The same is done with the websites, they can be hosted on similar sounding domain names and even feature security certificates.

The other strategy which is used by the criminals is the creation of infected executable files such as application installers of popular software: creativity suites, office and productivity tools and even computer games. This is done by taking the legitimate tools from their official sources and modifying them with the associated virus code. What’s particularly dangerous is that usually they are spread on the phishing sites and are also uploaded to file-sharing networks like BitTorrent. To facilitate an even larger attack the hackers can create numerous browser plugins that include scripts leading to the .BANKS virus infection. They are called hijackers and are frequently uploaded to the repositories with fake or stolen developer accounts. The provided description and reviews will further manipulate the users into installing it.

The .BANKS virus will follow the behavior pattern of previous Phobos samples. This means that usually the following set of actions will be started:

  • Information Gathering — The module can be used to harvest data from the hosts that include both user personal files, as well as information that can be used to create an unique ID based on the installed parts. The collected information can also be used in crimes like identity theft and blackmail.
  • Security Applications Blocking — By analyzing the memory and hard disk contents the .BANKS virus can search for any installed applications that can block the proper infection sequence: firewalls, anti-virus programs, debug environments and virtual machine hosts. They will be shut down or entirely removed.
  • System Changes — The engine can be programmed into manipulating the boot options and thus starting the virus engine every time the computer is powered on. Other changes that can occur include the manipulation of system configuration files and the Windows Registry. As a consequence the victims can experience serious performance issues, errors and data loss.
  • Additional Infection — The .BANKS virus can be used to deploy other malware onto the hosts. Popular examples are Trojans and cryptocurency miners.

When all operations have finished running the .BANKS virus will continue with the infection process by launching the ransomware component. It will use a built-in list of target file types that are to be processed by a strong cipher: multimedia files, archives, backups, documents and etc. In the end the associated .BANKS extension will be applied to them and a ransom note will be crafted to blackmail the victims.

.BANKS Virus – What Does It Do?

.BANKS Virus could spread its infection in various ways. A payload dropper which initiates the malicious script for this ransomware is being spread around the Internet. .BANKS Virus might also distribute its payload file on social media and file-sharing services. Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Read the tips for ransomware prevention from our forum.

.BANKS Virus is a cryptovirus that encrypts your files and shows a window with instructions on your computer screen. The extortionists want you to pay a ransom for the alleged restoration of your files. The main engine could make entries in the Windows Registry to achieve persistence, and interfere with processes in Windows.

The .BANKS Virus is a crypto virus programmed to encrypt user data. As soon as all modules have finished running in their prescribed order the lockscreen will launch an application frame which will prevent the users from interacting with their computers. It will display the ransomware note to the victims.

You should NOT under any circumstances pay any ransom sum. Your files may not get recovered, and nobody could give you a guarantee for that.

The .BANKS Virus cryptovirus could be set to erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

If your computer device was infected with this ransomware and your files are locked, read on through to find out how you could potentially restore your files back to normal.

Remove .BANKS Virus

If your computer system got infected with the .BANKS Files ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share