Phobos ransomware locks personal files for a ransomCriminals demand $3000-$5000 in BitcoinCriminals use a variety of email addresses, ICQ usernames and file markers in new virus versionsThreat SummaryRansomware distribution schemeRemove Phobos ransomware and recover your files
The first ransom note (called Phobos.hta) is a HTML application which states all files have been encrypted due to a security problem on the PC. In order to restore the files, the virus commands to contact the criminals via one of the provided emails. The email address varies depending on the virus version. The victim is allowed to send up to 5 files for free decryption to test that the decryptor actually works. The attackers are known to demand extremely high ransoms (around $3000-$5000 per infected host). The info.txt ransom note, which is a plain text file, suggests that ransomware was installed due to vulnerabilities in computer’s software. It also recommends to create a backup of files when testing third-party decryption tools. It is actually a good tip, because one must create a new copy of files to test decryption tools. The decryption tools you might decide to try can modify files and this might not be reversed if anything goes wrong. Thirdly, the info.txt warns not to trust third-party decryption tool resellers. Finally, the note says that the criminals’ goal is to return data to the victims, which is obviously fake. The main aim of these cybercriminals is to collect ransoms. The virus continues encrypting files on the computer and also on the network shares even after the ransom note is displayed. The Phobos ransomware targets all file types, including documents, photos, databases, music, videos, and executives. The crypto-Trojan changes computer’s time to one year back in order to confuse the security software installed on the system. It also deletes Volume Shadow Copies to prevent the victim from restoring files for free. Next, it deletes the backup catalog on the computer and disables the firewall. Unfortunately, there are no ways to decrypt files locked by this ransomware is it uses strong AES and RSA encryption methods. The process cannot be reversed without keys owned by cybercriminals, and security experts are currently powerless to obtain them. All you can do is backup the encrypted data and wait for the best. If you have been infected with this malicious virus, take actions to remove Phobos ransomware virus as soon as you can. In general, it is very dangerous to keep this malware on your computer as you never know what other security issues were implemented. Please follow the guidelines at the end of this article for a successful virus removal.
Criminals demand $3000-$5000 in Bitcoin
Victims who have contacted the cyber criminals have received an auto-response which specifies the ransom price for Phobos decryption tool. The attackers offer ransomware prevention tips for 0.1 BTC, which is approximately $800. Luckily enough, we provide even better tips for free on our site. We also offer service to you. Full of advice for protecting against attacks? – The price of 0.1 BTC, and remember our work is very hard. And it requires a lot of time and costs.
Reasons why you shouldn’t pay the ransom:
Criminals use a variety of email addresses, ICQ usernames and file markers in new virus versions
This ransomware virus releases new versions every now and then, and it tends to change the contact email addresses as well as used extensions frequently. Older Phobos variants append an ID with string of 8 characters, while newer versions add 4 extra digits after it. See some examples of known email and extension combos below (both for newer and older ransomware versions).
.[1FA6X721-6382].[painplain98@protonmail.com].calix;.id[5AH4C500-2423].[hanesworth.fabian@aol.com].deal;.id-4EA0B720.[job2019@tutanota.com].phobos;.id-2CH4D4VB.[prejimzalma1972@aol.com].phoenix;.id[70N40B9Z-1117].[DonovanTudor@aol.com].com;.id[70C80V9F-1727].[wewillhelpyou@qq.com].adage;.id[25588947-2385].[unlockfiles@qq.com].Caleb;.id[6C31BD38-4296].[lockhelp@qq.com].acute;.id[F6593JDA-2271].[raynorzlol@tutanota.com].Adame;.id[5E3AA9E3-1023].[Tedmundboardus@aol.com].help;.id[97664BCB-2562].[crysall.g@aol.com].banjo;.id[4D21BF37-2115].[datadecryption@countermail.com].Acton;.id[FA10CE41-1104].[kew07@qq.com].ACTIN;.id[H6RE80A1-1198].[returnmefiles@aol.com].ACTOR.
Recent versions of this ransomware substitute the email address with an ICQ username. For example, XHAMSTER ransomware virus leaves its ICQ username which is @xhamster2020. The most prevalent variants tend to use .phobos, .calix, .deal, .acton or .acute file extensions. It is obvious due to the number of user complaints we receive daily.
Threat Summary
REPAIR VIRUS DAMAGE
Ransomware distribution scheme
According to security experts, Phobos ransomware is strongly related to Dharma aka CrySiS ransomware family. Not surprisingly, it uses similar distribution methods. The main distribution method used to spread this crypto-virus is Remote Desktop Connections (RDP). According to security experts, the ransomware is being uploaded to vulnerable hosts manually. It is also known that the attackers PC is named as AHMED-PC, and its IP is based in Tunisia. However, the malware can also reach the victims via malicious email spam and infected websites. In other words, if you decide to click on a link in email that you haven’t been waiting for, or if you decide to visit a website that just gives you a sense that something is simply not right, you can end up with ransomware like Dharma, Sodinokibi or even Stop/Djvu. As usual, typical ransomware prevention techniques can help you avoid infection of this and similar viruses.
Remove Phobos ransomware and recover your files
You can remove Phobos ransomware virus using the guidelines given below. However, you can speed up this task even more if you have an anti-malware or anti-virus program. However, before you run it, we suggest booting your computer in Safe Mode first. This will help you to deactivate any malicious processes on your computer that might be set to interfere with security program’s tasks. Our recommended software for malware removal is INTEGO Antivirus. After a successful Phobos virus removal, do not forget to restore your files from a backup. Unfortunately, there are no decryption tools available for this ransomware, since the encryption method it employs is robust and unbreakable. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Alternative software recommendations
Malwarebytes Anti-Malware
Method 1. Enter Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it: Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users Now, you can search for and remove Phobos ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future. Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend. This article was first published on September 24, 2019, and updated on February 19, 2022.
