.Bablo file extension is an extension that uses the newest variant of Phobos ransomware to mark files that have been encrypted. Ransomware is malware created by criminals that restricts access to the victim’s files by encrypting them and demands a ransom for a pair of key-decryptor, necessary for decrypting files. Files encrypted with .Bablo extension become useless, their contents cannot be read without the key that the criminals have.
Bablo virus is the latest version of Phobos ransomware, which was discovered by security researchers some days ago. Like other variants, it encrypts all files on the computer and then demands a ransom for decryption. This virus encrypts files using a strong encryption method, which eliminates the possibility of finding a key in any way. For each victim, Bablo ransomware uses a unique key. It has the ability to encrypt files of any type, regardless of what is in them. Thus, the following common file types can be easily encrypted:
.wp, .t13, .ibank, .mcmeta, .rar, .xlsx, .wpe, .syncdb, .mov, .zi, .litemod, .p7b, .p12, .wps, .xar, .pef, .accdb, .wpl, .kf, .dazip, .cdr, .mp4, .wma, .wotreplay, .rim, .ai, .lbf, .raf, .odm, .wmo, .wpt, .rwl, .jpeg, .xyw, .wmf, .odc, .wcf, .xyp, .desc, .gho, .ff, .crt, .wot, .ybk, .xxx, .raw, .arch00, .xls, .big, .forge, .1st, .m3u, .wbc, .p7c, .wsd, .xdl, .x3f, .dba, .7z, .tax, .xlsm, .bkf, .nrw, .itl, .wpg, .wp7, .webp, .wgz, .wire, .sav, .das, .der, .r3d, .svg, .pfx, .y, .blob, .js, .docx, .flv, .sie, .xx, .bc7, .z, .epk, .qdf, .apk, .zif, .vtf, .xwp, .wri, .wpb, .x3d, .bkp, .dng, .wbmp, .wn, .mdb, .w3x, .z3d, .hkdb, .ws, .wp6, .fos, .gdb, .xf, .wav, .xbplate, .wb2, .css, .dmp, .sr2, .psk, .qic, .sis, .wma, .pdf, .xlsx, .py, .db0, .esm, .m2, .ltx, .d3dbsp, .kdb, .lrf, .crw, .zip, .wps, .xml, .wmv, .pptx, .xll, .ysp, .xlk, .bc6, .lvl, wallet, .sid, .2bp, .pem, .yml, .arw, .txt, .wm, .psd, .menu, .erf, .mlx, .wpd, .srw, .iwi, .rtf, .tor, .sidn, .cas, .ntl, .rofl, .dbf, .ncf, .bar, .zip, .odb, .webdoc, .fsh, .wbz, .3ds, .mpqge, .jpe, .itm, .snx, .sidd, .ptx, .wdb, .itdb, .fpk, .wbm, .vdf, .map, .hplg, .yal, .xy3, .sb, .doc, .pkpass, .mdf, .mrwref, .zw, .sum, .zdb, .wpa, .zdc, .wsh, .srf, .zabw, .m4a, .wdp, .xlsm, .png, .cer, .t12, .odp, .icxs, .wpw, .pptm, .3dm, .upk, .xmmap, .mddata
Each file that has been encrypted will be renamed. This means the following. If the file was called ‘document.docx’, then after encryption, it will be named ‘document.docx.id[user-id].[email@example.com].bablo’. Bablo ransomware can encrypt files located on all drives connected to the computer. Therefore, files located in network attached storage and external devices can also be encrypted. It encrypts file by file, when all the files in the directory are encrypted, it drops two files in the directory, which are called ‘info.txt’ and ‘info.hta’. Below is the contents of these files.
The contents of info.txt:
!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: firstname.lastname@example.org.
If we don’t answer in 24h., send e-mail to this address: email@example.com
The contents of info.hta:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail firstname.lastname@example.org
Write this ID in the title of your message [user-id]
In case of no answer in 24 hours write us to this e-mail:email@example.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
All directories with encrypted files have these files. But the contents of these files are the same everywhere. These files contains a message from Bablo ransomware creators. In this message, the criminals report that all the files were encrypted and the only way to decrypt them is to buy a decryptor and key. Attackers demand a ransom and report that the size of the ransom depends on how quickly it is paid. The faster, the smaller its size. Bablo authors left two email addresses that the victim must use to contact them. To confirm the possibility of decryption, criminals offer to decrypt 5 files for free. But it’s obvious that there is no guarantee that even by paying the ransom, the victim will be able to decrypt all files that have been encrypted.
|Name||Bablo ransomware virus|
|Type||Filecoder, Crypto virus, Crypto malware, File locker, Ransomware|
|Encrypted files extension||.[firstname.lastname@example.org].bablo|
|Ransom note||info.txt, info.hta|
|Ransom amount||$300-$1000 in Bitcoins|
|Detection Names||Trojan/Win32.BantaRansom, Trojan.Ransom.Phobos.F, TR/Crypt.XPACK.Gen, W32/Phobos.C, Trojan.Encoder.29362, Win32/Filecoder.Phobos.C, Trojan-Ransom.Phobos, Ransom.Phobos, Trojan.Win32.Filecoder, Troj/Phobos-B|
|Symptoms||Your personal files fail to open. You get an error message like ‘Windows can’t open this file’, ‘How do you want to open this file’. Files called like ‘info.txt’, or ‘info.hta’ in each folder with at least one encrypted file.|
|Distribution ways||Phishing email scam that attempts to scare users into acting impulsively. Drive-by downloads (ransomware is able to infect the machine simply by visiting a webpage that is running malicious code). Social media posts (they can be used to trick users to download malicious software with a built-in ransomware downloader or click a misleading link). Cybercriminals use misleading ads to distribute malware with no user interaction required.|
|Removal||To remove Bablo ransomware use the removal guide|
|Recover||To recover Bablo ransomware encrypted files use the steps|
If you came across this article, you were probably searching for a method on how to remove Bablo virus, which does not involve paying the ransom. The goal of this blog post is to provide you with the necessary instructions that can help you understand how remove ransomware virus and recover documents, photos and music which have been encrypted.
- How to remove Bablo ransomware virus
- How to decrypt .[email@example.com].bablo files
- How to restore .[firstname.lastname@example.org].bablo files
- How to protect your PC from Bablo crypto virus
How to remove Bablo crypto virus
It is not recommended to immediately start decrypting or restoring files, this will be your mistake. This way is wrong. The best way is to go step by step: scan your computer for ransomware, detect and remove Bablo virus, decrypt (restore) files. To search for ransomware, we recommend using free malware removal tools. It is very important to use multiple malware removal tools to identify and remove Bablo. Each of the used tools should be based on a different anti-virus (anti-malware) engine. This is the only way to make sure that the ransomware was found and completely removed.
Remove Bablo ransomware with Zemana Free
Zemana Free is a malicious software scanner that is very useful for detecting and removing Bablo ransomware. The steps below will explain how to download, install, and use Zemana Free to scan your computer and remove ransomware, malware, trojans, adware software, spyware, worms for free.
- Download Zemana AntiMalware from the following link.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Once you have downloaded the installation file, make sure to double click on the Zemana.AntiMalware.Setup. This would start the Zemana Anti Malware setup on your system.
- Select installation language and click ‘OK’ button.
- On the next screen ‘Setup Wizard’ simply click the ‘Next’ button and follow the prompts.
- Finally, once the installation is complete, Zemana Anti Malware will launch automatically. Else, if doesn’t then double-click on the Zemana AntiMalware (ZAM) icon on your desktop.
- Now that you have successfully install Zemana, let’s see How to use Zemana to delete Bablo ransomware from your computer.
- After you have started the Zemana, you’ll see a window as shown below, just click ‘Scan’ button . Zemana Anti-Malware utility will begin scanning the whole computer to find out Bablo virus.
- Now pay attention to the screen while Zemana scans your computer.
- After Zemana Anti Malware (ZAM) has completed scanning your personal computer, the results are displayed in the scan report. In order to remove all threats, simply press ‘Next’ button.
- Zemana Free may require a reboot system in order to complete the Bablo ransomware removal process.
- If you want to permanently remove crypto virus from your computer, then click ‘Quarantine’ icon, select all malicious software, adware software, PUPs and other threats and press Delete.
- Reboot your PC to complete the crypto virus removal procedure.
Use MalwareBytes AntiMalware (MBAM) to remove Bablo ransomware
You can delete Bablo ransomware virus automatically through the use of MalwareBytes. We suggest this free malicious software removal tool because it can easily remove crypto virus, adware, malware and other unwanted applications with all their components such as files, folders and registry entries.
- MalwareBytes AntiMalware can be downloaded from the following link. Save it on your Windows desktop or in any other place.
Category: Security tools
Update: April 15, 2020
- When downloading is finished, close all apps and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, click Next button and follow the prompts.
- Once installation is done, press the “Scan Now” button to perform a system scan with this utility for the Bablo crypto virus, other kinds of potential threats such as malware and trojans. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your machine and the speed of your computer.
- Once the system scan is done, it will display the Scan Results. All detected threats will be marked. You can remove them all by simply click “Quarantine Selected”. When disinfection is complete, you can be prompted to reboot your PC system.
The following video offers a step-by-step instructions on how to remove browser hijacker infections, adware software and other malware with MalwareBytes.
Remove Bablo ransomware virus with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is free and easy to use. It can scan and uninstall crypto viruses, malware, potentially unwanted applications and adware software in Chrome, Edge, Microsoft Internet Explorer and Firefox browsers and thereby restore their default settings. KVRT is powerful enough to find and uninstall malicious registry entries and files that are hidden on the personal computer.
Download Kaspersky virus removal tool (KVRT) on your personal computer from the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the download is finished, double-click on the KVRT icon. Once initialization procedure is done, you will see the KVRT screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the Bablo crypto malware and other trojans and malicious programs. This task can take some time, so please be patient. When a threat is detected, the count of the security threats will change accordingly. Wait until the the checking is finished.
When KVRT has finished scanning, you may check all items found on your PC like below.
Review the report and then press on Continue to begin a cleaning procedure.
How to decrypt .[email@example.com].bablo files
All files with the ‘.bablo’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. Unfortunately, today there is no way to decrypt files encrypted with Bablo virus, because to decrypt them you need a unique key, and this key is in the hands of criminals.
Never pay the ransom! Some users, wishing to recover access to blocked documents, photos and music, pay the ransom amount of money to cyber frauds. However, it is important to remember before performing this action that you are interacting with unscrupulous and dishonest people, and the probability that after transferring money they will not provide you with a decryption key to decrypt the encrypted files or increase the amount of ransom is high enough.
Fortunately, there are several alternative methods that do not require the use of a key and therefore allow you to restore the contents of encrypted files. Try to recover the encrypted files using free tools listed below.
How to restore .[firstname.lastname@example.org].bablo files
As we said above, today you cannot decrypt .bablo files. Fortunately, there are several simple ways that in some cases can help restore the contents of encrypted files without decryption. Each of these methods does not require a decryptor and a unique key, which is in the hands of criminals. The only thing we strongly recommend that you perform (if you have not already done so) is to perform a full scan of the computer. You must be 100% sure that Bablo virus has been removed. To find and remove ransomware, use the free malware removal tools.
Recover .[email@example.com].bablo encrypted files using Shadow Explorer
In order to recover .[firstname.lastname@example.org].bablo documents, photos and music encrypted by the ransomware from Shadow Volume Copies you can use a utility called ShadowExplorer. We recommend to use this solution as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
Visit the page linked below to download ShadowExplorer. Save it on your Windows desktop.
Category: Security tools
Update: September 15, 2019
When the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.
Double click ShadowExplorerPortable to start it. You will see the a window as displayed on the screen below.
In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point like below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export like below.
Use PhotoRec to recover .[email@example.com].bablo files
Before a file is encrypted, the Bablo ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file restore software such as PhotoRec.
Download PhotoRec by clicking on the link below.
Category: Security tools
Update: March 1, 2018
Once the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the screen below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll display a screen as shown below.
Select a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as on the image below.
Press File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is complete, press OK button.
Next, press Browse button to choose where restored files should be written, then click Search.
Count of recovered files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where restored files are stored. You will see a contents as shown below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from Bablo crypto virus
Most antivirus apps already have built-in protection system against the ransomware virus. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows operating system from MS Windows XP to Windows 10.
Download HitmanPro.Alert from the link below.
Category: Security tools
Update: March 6, 2019
After the downloading process is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is launched, you will be shown a window where you can choose a level of protection, as shown on the screen below.
Now click the Install button to activate the protection.
This guide was created to help all victims of Bablo ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to recover .[firstname.lastname@example.org].bablo files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Bablo related issues, go to here.