Eject Ransomware - How to remove

Eject is a new variant of Phobos ransomware. It attacks Windows PCs and servers, often those with vulnerable RDP credentials.

Eject encrypts files on the infected computer. This is to force victims to pay a ransom to get the decryptor.

In fact, the criminals behind Phobos and Eject are known scammers who may ask for multiple payments. There’s also no free decryption solution for Eject.

About Eject ransomware:

Type of threat	Ransomware.
Eject infection symptoms	Files won’t open, their names include an email address and end with “.eject”, a ransom note asks for money to be paid for the encrypted files to be fixed.
Can you get your files back	Restore data from backup or consider alternative solutions (after removing Eject and resetting passwords), avoid anyone who promises to get your files back in exchange for money.
How to remove Eject ransomware	Find and delete malware with antivirus scanners (Spyhunter, others) or reset your operating system, if needed, reset your passwords and protect your remote access accounts from being hacked.

How to recognize Phobos

Eject ransomware encrypts files. As a result, the files can’t be opened. Well, you can open them, but their content is scrambled. You can see this most easily with text files.

Eject runs files’ internal data run through a cryptographic algorithm and this makes the data unreadable.

The ransomware also changes the names of the encrypted files. This is just to label the files: restoring file names won’t fix the encrypted data.

Provided your Windows is set to display file type extensions, here’s what the encrypted files might be named by the ransomware:

picture.jpg.id[5AC5D52E-2846].[[email protected]].eject

Encrypted file names include an ID unique to the user, an ID unique to the Phobos variant, and an email address to contact the attackers. This pattern is common for Phobos ransomware, including Bablo, Angus, and Help.

Lastly, Eject creates a ransom note. In it, the extortionists responsible for Eject ransomware talk about why and how the victims should pay the ransom. (Don’t pay the ransom! The extortionists behind Phobos can’t be trusted.)

How does Eject infect computers?

Phobos mostly infects servers and computers through RDP. Weak usernames and passwords can be guessed by attackers who then deploy Eject or other malware on the computer.

There are other possibilities, such as malicious email attachments and dangerous downloads.

Modern ransomware is fast, can kill some security processes. Good antivirus security should stop ransomware infections, but things happen – new ransomware variants are meant to be harder for security programs to detect.

When Eject is flagged by antivirus scanners – Virustotal.com – it’s detected by names like Trojan, Ransom, Malicious, and Phobos.

Eject could be installed together with other malware (for instance, spyware). But the good news is that I’ve never heard of Phobos stealing data or engaging in double extortion.

How to remove Eject ransomware

What about the locked files?

Eject encrypts files, essentially corrupting. The only way to reverse this is to get the decryption software and a unique decryption key.

If you have backups, then Eject is no worse than a big waste of time.

But what if you didn’t save your important files in a backup and they got encrypted by Eject?

The people behind Eject ransomware want to be paid in order to send the decryption key to the victim. But even if you can afford the ransom, don’t pay it. The extortionists behind Phobos can’t be trusted. Some victims came forward and said that they paid and got ghosted. Others say that they were asked for additional money.

There’s no free decryption tool for Phobos ransomware.

Be careful of ransomware assistance companies and anyone who promises to fix your files for money.

There are some ways to get your data back after a ransomware attack, but there’s no guarantee that you can get much of your data back. Still, it’s something to look into. The encrypted files are safe, you can put them on a backup drive and they won’t infect anything.

How to delete Eject

You can use antivirus programs, such as Spyhunter, to scan your computer and remove infections. You can also reset your Windows, though if you keep any of your files, it’s still worth doing a malware scan.

Once Eject is gone, make sure that it can’t infect your device again. RDP is often abused by malicious actors to spread ransomware. If you use RDP, protect these accounts – reset the passwords, make them complicated and unique.

Automatic Malware removal tools

How to recover Eject Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Eject Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Eject Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Eject Ransomware. You can check other tools here.  

Step 3. Restore Eject Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Eject Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Eject Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.