Phobos Ransomware virus - How to remove

Phobos Ransomware is a deadly trojan infection targeting to lock a vast majority of file types and request for a ransom from users in order to unlock them. As Defined by TrendMicro, ransomware is “a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.”

Phobos Ransomware virus

So in this particular case, Phobos ransomware is crypto-ransomware, that will use a special AES encryption to make your files unusable. Unfortunately, this encryption method is really hard to decrypt thus it can cause you a lot of problems.

Distribution of Phobos Ransomware

It is almost a default feature for ransomware like this – it is distributed via spam e-mail campaigns. The same technique is used to distribute notorious ransomware infections like ViiperWare or Locker ransomware. It is not recommended to open emails from spam category, not even mentioning opening attachments to the files. We have an exact copy of the spam email sent by developers of Phobos virus and it says:

News about your orderHello Client,

Your order xxxxxxxxxxx, placed on xx-xx-xxxx, had just been sent.
The credit Card used for this purchase has been charged today for the total amount of USD 415,70.
Your order has been shipped with UPS and has been assigned the following Tracking Number: xxxxxxx.
Please allow a few hours for the tracking information to be updated on the site. For more information, see the attached file.

The delivery of your order could be delayed due to Customs processing.
You can check the delivery status directly in the section Track your order in the Customer Care area.

This email is sent by ‘Ozean, [email protected]’. As you can see, they try to trick people by telling that over $400 were charged from their credit card and further information can be found in the attachment. If you have encountered this exact email, delete it immediately without opening anything. Besides that, there are probably other ways used by cyber criminals to distribute Phobos ransomware, thus be aware.

Phobos virus specifications

Once inside of the computer, Phobos payload will drop malicious files into several different folders. They usually are %AppData%, %Temp%, %Roaming%, %Common%, %User’s Profile%, %System32/64%. Names of those malicious files can vary. These files allow to gain administrative permissions of your system and run various lines on registry editor. Here are some of the lines that are likely to be run by Phobos virus:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

It will also delete shadow copies and take away the opportunity to restore files from a backup from you. After that, it will encrypt most of your files that. Full list of the file types that can be locked:

PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG .CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG

An extension ‘.PHOBOS’ will be added to every single of all of those files. So for instance, if you had a file named ‘photo.jpg’, after the encryption it will llook like ‘photo.jpg.PHOBOS’. Now it is not possible to open or use the file in any other way. In some cases, the virus can add an unique ID and the crypto-email address to the extension, so it would look like “photo.jpg.*uniqueID*[email protected]”.

The wallpaper of your desktop will be also changed automatically. It will be replaced with a ransom note – instructions how to pay the ransom and unlock your files. Original text of the message:

All your files are encrypted
Hello World
Data on this PC turned into a useless binary code
To return to normal, please contact us by this email: [email protected]
Set topic of your message to ‘Encryption ID:{CUSTOM ID}’
Interesting Facts:
1. Over time, the cost increases, do not waste your time
2. Only we can help you, for sure, no one else.
3. BE CAREFUL !!! If you still try to find other solutions to the problem, make a backup copy of the files you want to experiment on, and play with them.
Otherwise they can be permanently damaged
4. Any services that offer you help or just take money from you and disappear, or they will be intermediaries between us, with inflated value. Since the antidote is only among the creators of the virus

We suggest not to contact cyber criminals nor pay the ransom, regardless of the amount you will be asked to pay. Investing money to support cyber criminals, hoping that you will get your files back in return, is not a good idea. Instead of that, you should make sure that malicious files of the virus will be deleted from your system and make sure that this won’t happen again. The best way to achieve it is to download reliable anti-malware application, such as Spyhunter. Just scan your computer with one of those programs and it should automatically detect and eliminate Phobos ransomware.

How to recover Phobos Ransomware virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Phobos Ransomware virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Phobos Ransomware virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Phobos Ransomware virus. You can check other tools here.  

Step 3. Restore Phobos Ransomware virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Phobos Ransomware virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Phobos Ransomware virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Manual removal

Removal guides in other languages

Phobos Ransomware-Virus (de)  Flag of Germany

One response to “Phobos Ransomware virus

  1. Hello, I need help. All my files have been suffixed with phobos.Data Recovery Pro can not recovery .Do you have a Phobos decryption tool? Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *