TomyBank ransomware (virus) - Recovery Instructions Included
TomyBank virus Removal Guide
What is TomyBank ransomware?
TomyBank ransomware changes the structure of your files, making it impossible to access them
Once file encryption is complete, the TomyBank virus delivers a ransom note
TomyBank is a ransomware-type computer infection that has been discovered by security researcher Karsten Hahn[1] in the middle of April 2022. Just like any other malware of this type, it encrypts all personal data located on the system and then demands a ransom to be paid for its return. The main goal is to make victims have a difficult choice between losing their pictures, documents, videos, and other important files and paying a hefty sum to cybercriminals.
Paying TomyBank virus authors is not recommended by any security researchers, as this might lead to financial losses. There is no guarantee that hackers would keep their word and send the required decryptor. Instead, we recommend checking out more details about the infection below – we explain how to deal with the virus and how to attempt an alternative data recovery without paying the crooks.
Name | TomyBank |
---|---|
Type | Ransomware, data locking malware, cryptovirus |
Related files | xaqipaxowq.exe |
File extension | The virus does not add an extension but instead scrambles file names, replacing them with random characters |
Ransom note | README_[ID].txt |
Contact | tomybank@privyonline.net or Tox account EE81FF60B5C7C6715FE29CDC24D31B27D749 D78B699C7D068046E80817DFEF6BEAF8E1D31114 |
File Recovery | If no backups are available, recovering data is almost impossible. Nonetheless, we suggest you try the alternative methods that could help you in some cases – we list them below |
Malware removal | Perform a full system scan with powerful security software, such as SpyHunter 5Combo Cleaner |
System fix | Malware can seriously tamper with Windows systems, causing errors, crashes, lag, and other stability issues after it is terminated. To remediate the OS and avoid its reinstallation, we recommend scanning it with the FortectIntego repair tool |
TomyBank ransomware operation
Upon installation, the TomyBank virus does not immediately begin the file locking process. Its first step is to prepare the computer for this process, and it does so by dropping a multitude of malicious files, altering registries,[2] deleting Shadow Volume Copies, and much more.
As soon as the system compromise is complete, malware does not waste any time and immediately performs data encryption which usually lasts only brief moments (this process might be longer if a huge amount of data is present on the system). During this process, all the personal files' names are scrabbled and replaced with a randomly-generated string comprising of alphanumeric characters.
The files become unrecognizable by the system and can't be opened no matter which program is being used for that. This is because files are safely encrypted and require a unique decryption key to return back to normal. This key is stored by cybercriminals and they are not willing to give it away for free.
According to the ransom note README_[ID].txt, which is dropped directly on the desktop, victims are meant to pay $20,000 worth of Bitcoin to crooks. If the demands are not met, cybercriminals claim they would release the sensitive information to the dark net, so it can later be used for other malicious purposes.
Detection list
One of the TomyBank ransomware samples was uploaded by a security researcher on Virus Total. The malicious file that would extract and download malware payload was xaqipaxowq.exe, although keep in mind that this file name might vary depending on the infection method. Security vendors detect the file under the following names:[3]
- Gen:Variant.Lazy.154614
- Trojan.Encoder.35192
- A Variant Of MSIL/Filecoder.OT
- Ransom.FileCryptor
- HEUR:Trojan-Ransom.Win32.Generic
- Trojan:Win32/Wacatac.B!ml, etc.
It is not uncommon for new ransomware strains to be assigned generic names such as Wacatac, for example. Please follow the removal steps below to correctly eliminate the virus from your machine.
Malware infiltration can be stopped by powerful security solutions
Distribution and prevention
There are several methods by which virus authors could distribute the ransomware. Among the most common ones are spam email attachments, software cracks, or various social engineering attacks encountered online by accident. We recommend being careful when opening new emails – never allow MS Office documents to run macros on your device unless you are sure the source is secure and trusted.
Avoiding high-risk websites such as illegal video streaming, peer-to-peer networks, and similar, is highly recommended. These sites are commonly poorly regulated and are a perfect breeding ground for cybercriminals and their malware. Likewise, never trust messages that claim your system has been infected by viruses and they need to be removed with some special antivirus tool. Fake Flash Player updates are also very common when it comes to malware distribution.
Good awareness of threats, reliable security applications (for example, SpyHunter 5Combo Cleaner, Malwarebytes), and proper data backups are vital when it comes to the prevention of ransomware attacks.
Step 1. Remove the infection
While many ransomware viruses would self-destroy after they perform file encryption, there is no guarantee that no malicious modules would be left behind. Some ransomware is also distributed in a bundle with other parasites, hence there could be more malware present.
In order to be sure that TomyBank removal is successful, you should perform a full system scan with SpyHunter 5Combo Cleaner, Malwarebytes, or another powerful security software. If the virus is interfering with elimination, you should access Safe Mode with Networking and perform the scan from there. If you need help with this process, please check the instructions at the very bottom of the article.
Note: you should disconnect the affected machine from the server and network if applicable before you scan the system.
Step 2. Fix virus damage
Malware can cause tremendous damage to Windows systems to the point where a full reinstallation could be required. For example, an infection can alter the Windows registry database, damage vital bootup, and other sections, delete or corrupt DLL files, etc. Antivirus software can't repair damaged files, and a specialized app should be used instead.
- Download FortectIntego
- Click on the ReimageRepair.exe
- If User Account Control (UAC) shows up, select Yes
- Press Install and wait till the program finishes the installation process
- The analysis of your machine will begin immediately
- Once complete, check the results – they will be listed in the Summary
- You can now click on each of the issues and fix them manually
- If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.
Step 3. File recovery options
Paying cybercriminals shouldn't be an option, as it carries great risks. However, it is important to note that the data would remain locked even after TomyBank ransomware removal – this is one of the main reasons why this type of malware is so dangerous. Backups can be the best way to ensure that ransomware could cause a minimal amount of damage.
Unfortunately, many users are unprepared for the attack and rarely have working backups ready. In this case, there are few chances of restoring the encrypted files successfully unless a decryptor is created by security researchers. Nonetheless, you could try using recovery software which could be successful in restoring at least some of the lost data:
- Download Data Recovery Pro.
- Double-click the installer to launch it.
- Follow on-screen instructions to install the software.
- As soon as you press Finish, you can use the app.
- Select Everything or pick individual folders where you want the files to be recovered from.
- Press Next.
- At the bottom, enable Deep scan and pick which Disks you want to be scanned.
- Press Scan and wait till it is complete.
- You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
- Press Recover to retrieve your files.
Decryption tools might also be created for certain ransomware strains thanks to the efforts of security researchers. In some cases, law authorities seize the servers of malicious actors,[2] which allows the keys to be released by the public – this is usually done by reputable security vendors. Here are a few links you might find useful:
- No More Ransom Project
- Free Ransomware Decryptors by Kaspersky
- Free Ransomware Decryption Tools from Emsisoft
- Avast decryptors
Other tips
Once you get rid of malware, you should also consider contacting the local authorities and reporting the crime. It can help greatly for law enforcement – many criminals were captured and decryption keys released to victims already. All you have to do is include as many details as possible and contact the following bodies:
- USA – Internet Crime Complaint Center IC3
- United Kingdom – ActionFraud
- Canada – Canadian Anti-Fraud Centre
- Australia – ScamWatch
- New Zealand – ConsumerProtection
- Germany – Polizei
- France – Ministère de l'Intérieur
Below you will find more tips that could be useful for you, including an extensive guide on how to prepare data backups correctly.
Getting rid of TomyBank virus. Follow these steps
Manual removal using Safe Mode
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Create data backups to avoid file loss in the future
One of the many countermeasures for home users against ransomware is data backups. Even if your Windows get corrupted, you can reinstall everything from scratch and retrieve files from backups with minimal losses overall. Most importantly, you would not have to pay cybercriminals and risk your money as well.
Therefore, if you have already dealt with a ransomware attack, we strongly advise you to prepare backups for future use. There are two options available to you:
- Backup on a physical external drive, such as a USB flash drive or external HDD.
- Use cloud storage services.
The first method is not that convenient, however, as backups need to constantly be updated manually – although it is very reliable. Therefore, we highly advise choosing cloud storage instead – it is easy to set up and efficient to sustain. The problem with it is that storage space is limited unless you want to pay for the subscription.
Using Microsoft OneDrive
OneDrive is a built-in tool that comes with every modern Windows version. By default, you get 5 GB of storage that you can use for free. You can increase that storage space, but for a price. Here's how to setup backups for OneDrive:
- Click on the OneDrive icon within your system tray.
- Select Help & Settings > Settings.
- If you don't see your email under the Account tab, you should click Add an account and proceed with the on-screen instructions to set yourself up.
- Once done, move to the Backup tab and click Manage backup.
- Select Desktop, Documents, and Pictures, or a combination of whichever folders you want to backup.
- Press Start backup.
After this, all the files that are imported into the above-mentioned folders will be automatically backed for you. If you want to add other folders or files, you have to do that manually. For that, open File Explorer by pressing Win + E on your keyboard, and then click on the OneDrive icon. You should drag and drop folders you want to backup (or you can use Copy/Paste as well).
Using Google Drive
Google Drive is another great solution for free backups. The good news is that you get as much as 15GB for free by choosing this storage. There are also paid versions available, with significantly more storage to choose from.
You can access Google Drive via the web browser or use a desktop app you can download on the official website. If you want your files to be synced automatically, you will have to download the app, however.
- Download the Google Drive app installer and click on it.
- Wait a few seconds for it to be installed.
- Now click the arrow within your system tray – you should see Google Drive icon there, click it once.
- Click Get Started.
- Enter all the required information – your email/phone, and password.
- Now pick what you want to sync and backup. You can click on Choose Folder to add additional folders to the list.
- Once done, pick Next.
- Now you can select to sync items to be visible on your computer.
- Finally, press Start and wait till the sync is complete. Your files are now being backed up.
Report the incident to your local authorities
Ransomware is a huge business that is highly illegal, and authorities are very involved in catching malware operators. To have increased chances of identifying the culprits, the agencies need information. Therefore, by reporting the crime, you could help with stopping the cybercriminal activities and catching the threat actors. Make sure you include all the possible details, including how did you notice the attack, when it happened, etc. Additionally, providing documents such as ransom notes, examples of encrypted files, or malware executables would also be beneficial.
Law enforcement agencies typically deal with online fraud and cybercrime, although it depends on where you live. Here is the list of local authority groups that handle incidents like ransomware attacks, sorted by country:
- USA – Internet Crime Complaint Center IC3
- United Kingdom – ActionFraud
- Canada – Canadian Anti-Fraud Centre
- Australia – ScamWatch
- New Zealand – ConsumerProtection
- Germany – Polizei
- France – Ministère de l'Intérieur
If your country is not listed above, you should contact the local police department or communications center.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from TomyBank and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Protect your privacy – employ a VPN
There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals.
No backups? No problem. Use a data recovery tool
If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.
If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.
- ^ Karsten Hahn. #TomyBank ransomware README_
.txt (X is a digit) tomybank@privyonline.net . Twitter. Social network. - ^ Tim Fisher. What Is the Windows Registry?. Lifewire. Tech News, Reviews, Help & How-Tos.
- ^ xaqipaxowq.exe. Virus Total. File and URL analysis.