Geek's Advice

Phobos ransomware locks personal files for a ransom

Phobos ransomware is a name of a virus that uses AES/RSA cryptography to encrypt all files on victim’s computer’s disks. The ransomware changes filenames during the encryption, adding victim’s ID, criminals’ email address and a specific file extension to the original filenames (example: myfile.jpg.ID-31720714.[job2019@tutanota.com].phobos). The latest versions of this virus use such email and extension combinations: .[ICQ@xhamster2020].XHAMSTER, .[painplain98@protonmail.com].calix, .[hanesworth.fabian@aol.com].deal, .[funnyredfox@aol.com].Caleb, .[lockhelp@qq.com].acute, .[xxxnxxx@cock.li].Caley, .[danger@countermail.com].blend, .[helpteam38@protonmail.com].adage, and [wallyredd@aol.com].phoenix. To inform the victim about data recovery options, it creates and opens a ransom note called Phobos.hta and info.txt.

The first ransom note (called Phobos.hta) is a HTML application which states all files have been encrypted due to a security problem on the PC. In order to restore the files, the virus commands to contact the criminals via one of the provided emails. The email address varies depending on the virus version.

The victim is allowed to send up to 5 files for free decryption to test that the decryptor actually works. The attackers are known to demand extremely high ransoms (around $3000-$5000 per infected host).

The info.txt ransom note, which is a plain text file, suggests that ransomware was installed due to vulnerabilities in computer’s software.

It also recommends to create a backup of files when testing third-party decryption tools. It is actually a good tip, because one must create a new copy of files to test decryption tools. The decryption tools you might decide to try can modify files and this might not be reversed if anything goes wrong.

Thirdly, the info.txt warns not to trust third-party decryption tool resellers. Finally, the note says that the criminals’ goal is to return data to the victims, which is obviously fake. The main aim of these cybercriminals is to collect ransoms.

The virus continues encrypting files on the computer and also on the network shares even after the ransom note is displayed. The Phobos ransomware targets all file types, including documents, photos, databases, music, videos, and executives.

The crypto-Trojan changes computer’s time to one year back in order to confuse the security software installed on the system. It also deletes Volume Shadow Copies to prevent the victim from restoring files for free. Next, it deletes the backup catalog on the computer and disables the firewall.

Unfortunately, there are no ways to decrypt files locked by this ransomware is it uses strong AES and RSA encryption methods. The process cannot be reversed without keys owned by cybercriminals, and security experts are currently powerless to obtain them. All you can do is backup the encrypted data and wait for the best.

If you have been infected with this malicious virus, take actions to remove Phobos ransomware virus as soon as you can. In general, it is very dangerous to keep this malware on your computer as you never know what other security issues were implemented. Please follow the guidelines at the end of this article for a successful virus removal.

Criminals demand $3000-$5000 in Bitcoin

Victims who have contacted the cyber criminals have received an auto-response which specifies the ransom price for Phobos decryption tool.

Hello! The cost of the decryption program at the moment is $ 3000
For payment you have 6 hours – you need to buy bitcoin and pay for my wallet.
If you do not pay the decryption program within 6 hours – the price will be $ 5000
Buy bitcoin is best on the site https://localbitcoins.com , choose your country – buy Bitcoin
and pay to my wallet: 1CTzR5oW4uQdY3xhHnmisD3M8shh7qcd6e
After you pay, you will receive all the necessary instructions to decrypt your files.

We also offer service to you. Full of advice for protecting against attacks? – The price of 0.1 BTC, and remember our work is very hard. And it requires a lot of time and costs.

Phobos ransomware developer

The attackers offer ransomware prevention tips for 0.1 BTC, which is approximately $800. Luckily enough, we provide even better tips for free on our site.

Reasons why you shouldn’t pay the ransom:

1. It encourages cybercriminals to continue. If ransomware wasn’t a profitable business, it wouldn’t exist. Unfortunately, many people forget to create data backups and use security methods. As a result, they decide to pay the ransom to recover the files if they can’t wait for free recovery tools to appear or if their files were extremely important to them.
2. There is no guarantee you will get the Phobos decryptor. When speaking of ransomware developers, the number one rule is: You cannot trust them. There are many reports when people paid up and did not receive the antidote. You really do not want to risk spending $3000-$5000 with no return.

Criminals use a variety of email addresses, ICQ usernames and file markers in new virus versions

This ransomware virus releases new versions every now and then, and it tends to change the contact email addresses as well as used extensions frequently.

Older Phobos variants append an ID with string of 8 characters, while newer versions add 4 extra digits after it. See some examples of known email and extension combos below (both for newer and older ransomware versions).

• .[1FA6X721-6382].[painplain98@protonmail.com].calix;
• .id[5AH4C500-2423].[hanesworth.fabian@aol.com].deal;
• .id-4EA0B720.[job2019@tutanota.com].phobos;
• .id-2CH4D4VB.[prejimzalma1972@aol.com].phoenix;
• .id[70N40B9Z-1117].[DonovanTudor@aol.com].com;
• .id[70C80V9F-1727].[wewillhelpyou@qq.com].adage;
• .id[25588947-2385].[unlockfiles@qq.com].Caleb;
• .id[6C31BD38-4296].[lockhelp@qq.com].acute;
• .id[F6593JDA-2271].[raynorzlol@tutanota.com].Adame;
• .id[5E3AA9E3-1023].[Tedmundboardus@aol.com].help;
• .id[97664BCB-2562].[crysall.g@aol.com].banjo;
• .id[4D21BF37-2115].[datadecryption@countermail.com].Acton;
• .id[FA10CE41-1104].[kew07@qq.com].ACTIN;
• .id[H6RE80A1-1198].[returnmefiles@aol.com].ACTOR.

Recent versions of this ransomware substitute the email address with an ICQ username. For example, XHAMSTER ransomware virus leaves its ICQ username which is @xhamster2020.

The most prevalent variants tend to use .phobos, .calix, .deal, .acton or .acute file extensions. It is obvious due to the number of user complaints we receive daily.

Threat Summary

REMOVE MALWARE & REPAIR VIRUS DAMAGE

Ransomware distribution scheme

According to security experts, Phobos ransomware is strongly related to Dharma aka CrySiS ransomware family. Not surprisingly, it uses similar distribution methods.

The main distribution method used to spread this crypto-virus is Remote Desktop Connections (RDP). According to security experts, the ransomware is being uploaded to vulnerable hosts manually. It is also known that the attackers PC is named as AHMED-PC, and its IP is based in Tunisia.

However, the malware can also reach the victims via malicious email spam and infected websites.

In other words, if you decide to click on a link in email that you haven’t been waiting for, or if you decide to visit a website that just gives you a sense that something is simply not right, you can end up with ransomware like Dharma, Sodinokibi or even Stop/Djvu. As usual, typical ransomware prevention techniques can help you avoid infection of this and similar viruses.

Remove Phobos ransomware and recover your files

You can remove Phobos ransomware virus using the guidelines given below. However, you can speed up this task even more if you have an anti-malware or anti-virus program. However, before you run it, we suggest booting your computer in Safe Mode first. This will help you to deactivate any malicious processes on your computer that might be set to interfere with security program’s tasks. Our recommended software for malware removal is INTEGO Antivirus.

After a successful Phobos virus removal, do not forget to restore your files from a backup. Unfortunately, there are no decryption tools available for this ransomware, since the encryption method it employs is robust and unbreakable.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS

REMOVE & PROTECT WITH INTEGO

Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7.. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.

Use INTEGO Antivirus to remove detected threats from your computer.

Read full review here.

STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER

DOWNLOAD RESTORO

RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

This article was first published on September 24, 2019, and updated on February 19, 2022.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.