How to remove BANG ransomware (Decrypt Encrypted Files)

BANG ransomware is a deadly computer infection that locks up the files stored in and asks ransom payment for decrypting them. Read the article to know why you should not negotiate to the crooks under any circumstances and learn the best way to deal with this situation to have less damage to the compromised device from the infection. Also, this article will aware you about of various other possibilities of data recovery. So, don’t skip it.

What is BANG ransomware?

BANG ransomware is a crypto-virus, belongs to Dharma ransomware family that stuck the world in 2016 and during the years, this virus has been reappearing with various new versions. BANG is one of them, discovered by Jakub Kroustek. Like previous variants, this malware operates as encrypting stored files to put ransom demand to the novice users who are no longer able to access them.  The major targeted files include images, videos, and other productivity documents and files such as .doc, .docx, .xls, .pdf. During the encryption process, the virus will append .BANG extension name to their filenames (plus unique ID number and cybercriminals’ email address). For example, a file named 1.jpg would appear something like[[email protected]].BANG.

Once the encryption process is done, the BANG ransomware will display FILES ENCRYPTED.txt that contains ransom note and instructions on how to contact the crooks behind it and purchase the decryption tool from them. For the contact, [email protected] email address belongs to the cybercriminals is mentioned on the note. There is an alternate email address [email protected] also provided on the ransom note. As per the note, the users have to use it when they get no answer in response from the first email within 12 hours. There is given a warning note for the users in this text file according to which, if users rename the encrypted files and/or use any third party software for the data decryption, they will lose their files for permanently. Here is the full text presented on the text message created by BANG ransomware:


Don’t worry,you can return all your files!

If you want to restore them, follow this link email: [email protected]

If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected]


Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Paying/Contacting to the crooks is not recommended

We highly recommend against following the ransom payment request from the crooks. These are evil people -for whom you can’t say that they will fulfill their promise. They may disappear leaving you without your files. In such a case, you will experience financial loss and will have all the files remain in the encrypted situation. Better if, you use some data recovery alternatives. You can use existing backup -that were created before the encryption was done and stored on some remote locations than the compromised device. If you have no such files, you should use Shadow Volume Copy- an automatic backup cloud created by OS for short time. If you have no idea how to restore the files using the Shadow Copy, refer the instruction provided below the post in the data recovery section. In some cases, this shadow copy is deleted by ransomware in order to harden the data recovery process. If the BANG ransomware also did it so, you have to use some data recovery tool -the step by step instruction for using such tool is also provided below the post.

Remember:  Before using any of the mentioned data recovery alternatives, firstly, make ensure that the BANG ransomware is no longer available on the device, or otherwise, it may interrupt during the process and may even make the data recovery permanently impossible by corrupting the using tools.

Threat Summary

Name: BANG ransomware

Threat Type: Ransomware

Extension use: .BANG (files are also appended with a unique ID and cyber criminals’ email address)

Ransom demanding note: Text presented in the pop-up window and FILES ENCRYPTED.txt

Cyber criminals’ contact[email protected] and [email protected]

Detected names: Avast (Win32:RansomX-gen [Ransom]), BitDefender (Trojan.Ransom.Crysis.E), ESET-NOD32 (A Variant Of Win32/Filecoder.Crysis.P), Kaspersky (, and many others

Symptoms: Cannot open the files stored on the device, previous functional files now have a different extension. A ransom demand message is displayed on the desktop. Cyber criminals demand payment of a ransom to for unlocking the files

Additional information: This malware is designed to show a fake Windows Update Window and modify the Windows hosts file in order to prevent users from accessing security websites online

Distribution methods: Infected email attachments (macros), torrent websites, malicious ads, unofficial activation and updating tools

Damage: All files are encrypted and cannot be opened without paying a ransom. Additional password stealing Trojan or other malware infections can be installed together with a ransomware infection

Malware removal: Use some reputable antivirus tool or follow manual malware removal guide provided below the post to remove BANG ransomware from the device

Files recovery: Existing backup is the safe and secure option to get the files back in the original accessible condition. Other data recovery options include Volume Shadow Copy or data recovery tools -check the data removal section below the post for the step by step guide for performing them

Home users and organizations at the targets

Researchers see, this crypto-virus has often distributed via spam emails. Such messages deliver infectious files in a particular campaign. They revealed new information that the malicious actors use downloading links and when users click on such links- the malicious file gets installed and initiates the malicious script for this ransomware. Social media and file sharing services can also be used for distributing its payload file. In addition, freeware apps that are found on the web can be presented as helpful for hiding such malicious scripts. The source code has been offered for the sole on hackers’ forums for 2000 dollars and so this malware can be used a RaaS for or as a developing purpose of other threat.

The bad actors target both home users and organizations such as Courier Company, health institutions etc with this malware sample.  They use the BANG ransomware to encrypt stored files on the network or individual user’s device and ask ransom demand from them for releasing the files for further access and use them like earlier. Also, this malware also allows them to steal stored personal information and inject other malicious malware and hence there is a huge risk of privacy and system security due to the infection. To prevent such a huge risk, the BANG ransomware removal is recommended to be done immediately. Below the guide, you will see the step by step malware removal instruction – both Manual and Automatic guide. Use it so that you can easily perform the removal process and then consider about the data recovery.

Suspicious email attachments – common ransomware distribution technique

Mal-spam campaigns trick gullible users to open malicious files having payload of BANG ransomware. Inexperienced Users continue to fall on this scam because they have a lack of knowledge and idea for protecting their device. We kindly ask them to follow these precautionary tips that to avoid ransomware infiltration and protect their computer:

  • When receiving any emails from unknown sender, company or institution, carefully investigate it -take help from Internet for any similar scams before opening them
  • In many cases, when extortionists send any emails to infect the device, they clip some attachments in for of files or links with them. The infection typically occurs when users click such attachments. In other word, to avoid malware injection, you must require delete such emails before opening the malicious payload containing files or links that lead such files

Remove BANG ransomware

Manual malware removal guide is provided below in step by step manner. Follow it so that you will not find any trouble during removal process. You can use some reputable antivirus tool to automatically remove BANG ransomware from the device.

Special Offer (For Windows)

BANG ransomware can prove dangerous if remains on your computer for longer duration. So, we suggest you to try for Spyhunter to scan entire PC and find out malicious threat.

For more information, read SpyHunter’s EULA, Threat Assessment Criteria, and Privacy Policy. Spyhunter checks that your computer has malware with its free trial version. If found any threat, it takes 48 hours time for its removal. If you need to eliminate BANG ransomware instantly, you are required to purchase licensed version of this software.

Data Recovery Offer

To restore encrypted data or files out of your ransomware infected machine, using a lately created backup file is highly suggested. The users can also take a trial with a data recovery software to check if it can help recovering files. Take a free trial with the app here.

In order to remove BANG ransomware, follow any of the two steps:

  1. Remove BANG ransomware using “Safe Mode with Networking”
  2. Remove BANG ransomware using “System Restore”

Remove BANG ransomware using Safe Mode with Networking

Step 1: Restart the system in Safe Mode with Networking before you attempt to eliminate BANG ransomware.

Windows 7/Vista/XP

  • Click Start > Shutdown > Restart > Ok
  • Wait till the computer becomes active
  • After the Windows screen appear, start pressing F8 multiple times until you see Advanced Boot Options Window
  • Select Safe Mode Networking from the list

Windows 10/Windows 8

  • Press the Power button on Windows login screen and then press and hold Shift button on the keyboard
  • Then, click on Restart
  • Now, Select Troubleshoot> Advanced options> Start up settings and finally press Restart
  • When computer becomes active, click Enable Safe Mode with Networking in startup settings Window

Step 2: Remove BANG ransomware

Login to the infected device, start the browser and download Spyhunter or other legit anti-virus program. Before performing system scan, update it and remove the malicious files belong to the ransomware and then complete the BANG ransomware removal.

If the ransomware has blocked the Safe Mode with Networking, try further method.

Remove BANG ransomware using System Restore

This feature offers the ability to restore the device to the previous state.

Step 1: Reboot the device with Safe Mode with Command Prompt

Windows 7/Vista/XP

  • Click StartShutdown > Restart >OK
  • When system becomes active, press F8 button multiple times till Advanced Boot options Window appear
  • Select Command Prompt from the list

Windows 10/Windows 8

  • Press the Power button at the Windows login screen and then press and hold Shift button on the keyboard and click Restart
  • Select Troubleshoot > Advanced options > Startup Settings and finally press Restart
  • Once the computer becomes active, select the Enable Safe Mode with Command Prompt in Startup settings Window

Step 2: Restore the system files and settings

  1. Once the Command Prompt Window shows up, enter cd restore and click Enter

2. Now, type rstrui.exe and press Enter

3. In the opened Window, click “Next” 

4. Select the zonal point that is prior the infiltration of BANG ransomware. After doing this, click “Next

5. Now click yes to Start System restore

Once you restore the system to the previous data, download and scan the device some reputable antivirus tool such as Spyhunter to ensure that BANG ransomware removal is performed successfully.

You can use Windows Previous Version feature to restore the individual files that were affected. This method will be the effective one if the System Restore function was enabled on the compromised device.

Note that, some of the BANG ransomware variants are known to delete Shadow Volume Copies of the files, and therefore, this method is not the sure shot for the data recovery.

Why Spyhunter?

SpyHunter is an anti-malware tool that scans the device for searching and identifying malware attacks, block malware, adware, spyware and other potentially unwanted applications. Its scanning algorithm and programming logics are continually updated and therefore it tactics the latest malware infections as well.

More about Spyhunter

SpyHunter is a very advanced scanning architecture. It features multi layered system scanner that helps it on detecting old as well as new viruses. It provides an option to customize the scans as well. Its other helpful feature includes the cloud based capability for detecting highly advanced and sophisticated malware and providing complete protection from it. It also offers the feature of scanning the particular drivers or folders, previous scan log view, manage the quarantined objects and also pick that objects that you wish to be excluded from the future scan.

The antivirus tool especially focused son taking quick action on the newly detected threats. Its real time blocking capability helps you to prevent the attacks, downloads and installation of any kinds of kinds and removing most aggressive malware. It has special feature to perform system booting in customized environment and remediate malware at the lower level of the system.  Most importantly, Spyhunter scans the cookies that are possibly representing privacy issues.

Instructions to Download and Install the latest Spyhunter 5

    • You can simply download Sphunter from link given below.

Special Offer (For Windows)

BANG ransomware can prove dangerous if remains on your computer for longer duration. So, we suggest you to try for Spyhunter to scan entire PC and find out malicious threat.

For more information, read SpyHunter’s EULA, Threat Assessment Criteria, and Privacy Policy. Spyhunter checks that your computer has malware with its free trial version. If found any threat, it takes 48 hours time for its removal. If you need to eliminate BANG ransomware instantly, you are required to purchase licensed version of this software.

  • After the download, you will see SpyHunter-Installer.exe file on the browsers at the bottom-left corner. Double-click on it to open it:
  • Confirm With “Yes” on the User Account Control
  • Choose the Preferred language

  • Click Continue to precede the installation steps

  • Read and click on accept button to agree to End User License Agreement and Privacy Policy. Then, click on Install button

  • Now the installation process will begin. Wait, till the process is completed. It takes a few minutes

  • Once the process is completed, you will see a Finish Click on it to complete the process of installation of the application.

Steps to perform System Scan using SpyHunter

  • After the application installation, the SpyHunter 5 anti-malware tool will launch automatically. However, if it does not, then locate the SpyHunter icon on the desktop or click Start > Programs > Select SpyHunter.
  • On the application page, you will find home tab on the left top corner. Click on it and select Start Scan Now button. The antivirus tool will then start the scanning for threats and system vulnerabilities

  • The scanning results will show system errors, vulnerabilities and malware found, if any

Note: To continue and perform the detected threats, you require full product. Below, the step-by-step instruction to register for the SpyHunter is provided for you:

How to Register for SpyHunter

On the top right corner of the program window, there is a Register option. Click on it and follow the instructions

  • Once you have registered, you will be provided Username and Password. Click on the Account Tab of the settings section and enter the provided username and password. Thereafter, you can avail the full feature of the app for your computer

  • SpyHunter will provide the scanning results in a category wise such as Malware, PUPs, Privacy, Vulnerabilities and Whitelisted objects -as you see below

  • Select the objects that you would like to remove and click the Next button

The selected objects will go SpyHunter’s Quarantine and so you can easily restore it anytime through Restore feature.

  • To locate any object

Go to Malware/PC Scan tab and click on Quarantine tab

In this section, select the checkbox at the left of the object and click on the Restore button

  • To perform removal of an object

Just select the object on the checkbox at the left displayed in the Malware PUPs or Privacy tabs. This allows you select and deselect all objects displayed on specific tab.

Steps to restore individual files

To restore a file, right click over it, go into the properties and select the previous version tab. If this file has the Restore Point, select it and click on Restore button

You should boot your device using a rescue disk, in case you are not able to start your device in Safe Mode with Networking (or with Command Prompt). For this you require access to another computer.

To gain control over the BANG ransomware encrypted files, you can use a program called Shadow Explorer.

More on Shadow Explorer application

After installing this application, you will see the shortcut of it to the desktop in the start menu. Running this app does not require administrative privileges from version 0.5. But in certain circumstances, it can be helpful to run ShadowExplorer with elevated privileges -using right click, run as administrator.

  • When you install the app as administrator, first thing you see is the user account control screen requesting administrator privileges

  • This is the picture of the app when everything works correctly

  • From the drop down list, select one of the available point in the time Shadow Copies

  • You can export any file or folder by a right click on it

  • Then, choose a folder where you want those files from t he Shadow Copy are saved to

  • The image shows the status of the retrieval process

  • The app may ask for your confirmation before overwriting in case if a file or folder in the destination directly already exists. Click on Do not show this dialog box, after this it won’t be shown ever again

  • You will be given an reset the previous decision as well in the settings dialog

Important discussion: Now, you are familiar with ransomware and its impact on the infected PC. What we mean to say that the ransomware viruses are said to be deadly threats. And therefore, better for you to take adequate protection to avoid the attacks on your work station. For safety, you should use some reputable antivirus suite like Spyhunter that artificially implants the group policy objects into the registry to block rogue apps like BANG ransomware.

Note that in Windows 10 Fall Creators Update, you will get a unique feature called Controlled Folder Access that blocks ransomware attempts to encrypt the crucial files like Documents, Pictures, Videos, Music, Favorites and Desktop folders.


Thus, Windows 10 users should take this privilege and must install the update to protect their data ransomware attacks. To know more on how to get this update and add an additional protection layer from ransomware infection, click here.

How to recover the data encrypted by BANG ransomware?

We have already discussed two important data recovery methods, i.e., the System Restore and Shadow Volume Copies. Hope so, these methods work in your case. However, if these options are not enough for you for the data recovery, you need to switch to another data recovery option that is use the data recovery tool. Such tools work on the basis of system scanning and recovery algorithm. They operate by searching the partitions to locate the original files (deleted, corrupted or damaged by the malware). Before using this option, certain things you should keep in mind:

  • Do not re-install the Windows OS -this leads the previous copies permanently deleted
  • Clean the work station from BANG ransomware infection
  • Leave the files as they are

Follow these instructions:

  1. Download the data recovery software in the Work-station from the link below

Data Recovery Offer

To restore encrypted data or files out of your ransomware infected machine, using a lately created backup file is highly suggested. The users can also take a trial with a data recovery software to check if it can help recovering files. Take a free trial with the app here.

  1. Execute the installer by clicking on the downloaded files

3. You will see a license agreement page on the screen, click on Accept button to agree its terms to use and then follow the on-screen instruction and then click on Finish button

4. The programs executes automatically after the install. You just select the file types that you want to recover and click on the “Next” button

5. Select the drive on which you want the software to run, execute the recovery process and click on scan button

6. The restoration process begins soon you select the file types for scanning. The process may take times depending on the selected drive and number of files. Once this process gets completed, a preview for the data that are to be recovered appears on a data explorer screen. Here, select the files you want to restore.

7. After this, locate the locations where you want to save the recovered files