.trobibtc218 Files Virus (BansomQare Manna) – Remove + Restore Data

.trobibtc218 Files Virus (BansomQare Manna) – Remove + Restore Data

This article has been created to explain what is the BansomQare Manna ransomware virus and show how to remove it from your computer and restore .trobibtc218 encrypted files.

A ransomware virus, called BansomQare Manna has been detected by security researchers to encrypt documents and other important files on the computers affected by it and then leave the .trobibtc218 file extension as a default file suffix on the computer of the user after which the ransomware may drop a ransom note with the same name as the file extension, asking for BitCoins to be paid in approximately a day time. If your computer has been infected by the BansomQare Manna ransomware we recommend that you read the following article and learn how to remove BansomQare Manna from your computer and restore your encrypted files.

Threat Summary

NameBansomQare Manna
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer and then set .trobibtc218 as a default file extension to them after which it asks you to pay ransom to decrypt them.
SymptomsThe ransomware shows a ransom note, named trobibtc218.txt and a pop-up ransom screen, called BansomQare Manna which has a countdown timer to pay a hefty ransom to get the files back.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by BansomQare Manna


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss BansomQare Manna.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

BansomQare Manna – Distribution Methods

In order to be widespread, this ransomware infection may take part in various different types of activities, including using RDP exploits, droppers or infection scripts to slither it’s payload on your drive. To reach this goal, however, cyber-criminals have made it possible so that the BansomQare Manna virus is spread while being disguised as a legitimate type of file or URL. These types of files or URLs often are concealed as a fake buttons or fake documents which appear to be important receipts, invoices or order confirmation forms of some sorts. Such are often spread via cunningly devised e-mails, like the following:


In addition to this, the BansomQare Manna ransomware also aims to be downloaded via multiple different types of programs, whose primary purpose is to get the victim to believe the file is some sort of a setup of a legitimate program or game patch, crack, key generator or even a driver installer. Some websites even go as far as to custom generate a fake file, based on the keywords you have searched for, so be extremely aware and always use services, like ZipeZip to check the attachments on your e-mails, before downloading them.

BansomQare Virus – More Information and Activity

The BansomQare rasomware virus aims to perform various different activities on the victim’s computer, the main one of which is to encrypt your files and hold them hostage until you pay ransom.

The first one of those activities is to get you to download the payload and activate it, after which the BansomQare ransomware drops it’s malicious payload on your computer. The payload may consist of more than one files and it’s main purpose is to be hidden. It is usually located in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

The BansomQare may also heavily modify different aspects from the Windows Registry Editor, like the Run and RunOnce registry sub-keys, whose primary purpose is to get the malicious files on the infected PC to run automatically when Windows boots. They have the following locations in the Registry Editor:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

After this has been done, the ransomware may also drop it’s ransom note file. It has the name trobibtc218 and contains the following ransom instructions:

Send $100 worth of bitcoin to this address:
{cyber-criminals’ bitcoin address}
Contact US: [email protected]

In addition to this, the BansomQare ransomware also adds its lockscreen note which appears like the following:

BansomQare Ransomware – Encryption Process

In order to encrypt the files on the computers, infected by it, the BansomQare ransomware may scan for the files based on their file types. The often opened files types are attacked, like:

  • Documents.
  • Videos.
  • Images.
  • Archives.
  • Text files.
  • Audio files.
  • Other important files.

The encryption process leaves the files with the following file extension:

Remove BansomQare Ransomware and Restore .trobibtc218 Encrypted Files

In order to remove this ransomware infection from your computer, we advise that you follow the removal instructions underneath this article. They have been made in order to help you delete the malicious files of the virus, whichever method you find suitable, based on your malware removal experience – manual or automatic. For maximum effectiveness, be advised that cyber-security experts strongly advise to use an advanced anti-malware software. It’s primary purpose is to help you to delete the malicious files automatically and protect your computer against future cyber-infections as well.

If you want to restore files that have been encrypted on your computer, we advise that you try out the alternative methods for file recovery in step “2. Restore files, encrypted by BansomQare Manna” underneath. They are created to help you restore as many files as possible, but be advisable that they may only be a partial solution to your problems, caused by this ransomware. In the meantime we advise that you follow this article and if there is a free decryptor released for this virus, we will update it with information on how to decrypt your files. So either way, backup your encrypted files and do not delete them under any circumstance.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share