Phobos ransomware is a dangerous cyber infection that mimics the infamous Dharma

Later versions kept the extension .phobos, but used different contact addresses, along with the composite extension. The most recent contact emails changed to ofizducwell1988@aol.com and fobosAmerika@protonmail.ch. Currently, Phobos is actively attacking users all around the world, asking for as much as $5,000 ransom in return for the decryptor. It still remains active – the more recent and prominent versions throughout the last year are Actin ransomware and Mamba ransomware.
The year 2020 shows that Phobos ransomware is not dead. At the beginning of the year researchers warned about ISO variant, and the most recent version that resurfaced in May is dubbed as Eking ransomware. The latter is known for being spread via Adobe Acrobat cracks in particular and using decphob@tuta.io and decphob@protonmail.com emails for contacts. Unfortunately, the decryption software for this expanding virus hasn't yet been developed.
| Name | Phobos |
| Type | Ransomware |
| Known since | 2017 |
| Versions of extensions in the same family | .actin, .actor, .mamba, .phoenix, .acton, .frendi, .adage, .acute, .help, .com, .blend, .WALLET, .1500dollars, .adame, .banjo, .BORISHORSE, .Banta, .BANKS, .Adair, .zax, .HORSELIKER, .BANKS, .Barak, .Caley, .deal, .Cales, .calix, .Caleb, .elder, .octopus, .age, .deuce, .Angus, .Calum, .Dever, .Devon, .devil, .devos, .bablo, .dever, .dewar, .eight, .revon, .eject, .iso, .eight, .eking etc. Most of them are repeated many times throughout the years of the virus activity |
| File extensions | [ID].[OttoZimmerman@protonmail.ch].PHOBOS, [ID].[Job2019@tutanota.com].phobos, [ID].[Cadillac.407@aol.com].phobos, [ID][Raphaeldupon@aol.com].phobos, [ID].[Gomer_simpson2@aol.com].phobos, [ID].[ofizducwell1988@aol.com].phobos, .[ID].[Absonkaine@aol.com].phoenix, .[ID].[Returnmefiles@aol.com].actor, .[ID].[Fileb@protonmail.com].mamba, .[ID].[kew07@qq.com].actin, .[ID].[Randal_inman@aol.com].help, .[ID].[Upfileme@protonmail.com].actin, .[ID].[Returnmefiles@aol.com].actor, .[ID].[DonovanTudor@aol.com].com, .[ID].helpteam38@protonmail.com].adage, .[ID].[danger@countermail.com].blend, .[ID].[Walletdata@hotmail.com].WALLET, .[ID].[Lockhelp@qq.com].acute, .[ID].[Cleverhorse@protonmail.com].1500dollars, .[ID].[Hadleeshelton@aol.com].Acton, .[ID].[The777@tuta.io].Acuna, .[ID].[Crysall.g@aol.com].banjo, .[ID].[worldofdonkeys@protonmail.com].BORISHORSE, .[ID].[Larabita@cock.li].Banta, .[ID].[Decryptbox@airmail.cc].Adair, .[ID].[Zax444@qq.com].zax, .[ID].Decrypt@files.mn].BANKS, .[ID].[Captainpilot@cock.li].barak, .[ID].[Restorebackup@qq.com].Caley, .[ID].[Hanesworth.fabian@aol.com].deal, .[ID].Recoveryfast@airmail.cc].Cales, .[ID].[painplain98@protonmail.com].calix, .[ID].[debourbonvincenz@aol.com].banjo, .[ID].[Decryptfiles@qq.com].Devon, .[ID].[apoyo2019@protonmail.com].bablo, .[ID].[Mr.helper@qq.com].dewar, .[ID].[Backup.iso@aol.com].iso, .id[1E857D00-2776].[use_harrd@protonmail.com].eight, [ID].[decphob@tuta.io].eking, [ID].[decphob@protonmail.com].eking, etc. |
| Encryption algorithm | AES |
| Executable | processhacker-2.39-setup.exe |
| Ransom demand | Varies, can reach up to $5,000 or even $70 000 when the target is large business or company. The amount increases after 6 hours |
| Main dangers | Data loss, money loss, system compromise, malware infiltration |
| Distribution | Infected files as attachments on legitimate-looking emails, malicious files from hacked or malware-related websites, software cracks |
| Elimination | Perform a scan with an anti-malware tool to remove Phobos ransomware |
| Repair | You need to double-check and scan the machine using something like FortectIntego or a system optimizer, so virus damage is deleted and alterations fixed or repaired automatically |
Phobos ransomware virus mostly spreads via malicious spam emails[1] or fake installers[2] (processhacker-2.39-setup.exe) for applications like Process Hacker 2. Once inside the computer, it starts scanning the system, targeting the predetermined file extensions.
The malware encrypts various pictures, multimedia, images, documents, and even databases or other data using AES cryptography.[3] Thus, files locked by Phobos ransomware cannot be opened without a specific decryption tool.
In the Phobos virus ransom note, criminals explain that the information stored on the affected computer was “turned into a useless binary code.” In order to make victims follow the ransom payment instructions, crooks tell that other third-party data recovery services will not help them.
However, they might take the money and disappear. Though, this situation is most likely to happen if you contact and transfer the money to authors of the Phobos ransomware virus. Cybercriminals are not eager to help you because the only focus is getting money from the victims.
Over the course of December 2018 and 2020, hackers released numerous new variants, which use different emails, including:
- Job2019@tutanota.com
- Bad_boy700@aol.com
- Cadillac.407@aol.com
- Everest_2010@aol.com
- Raphaeldupon@aol.com
- paper_plane1@aol.com
- barcelona_100@aol.com
- elizabethz7cu1jones@aol.com
- beltoro905073@aol.com
- Raphaeldupon@aol.com
- Gomer_simpson2@aol.com
- ofizducwell1988@aol.com
- FobosAmerika@protonmail.ch
- decphob@tuta.io
- decphob@protonmail.com

2019 came with even more news about Phobos virus because the ransomware started exploiting weak security to attack users all over the world.[4] It also targets businesses and large companies since these attacks ensure bigger profit from a single victim.[5] Badly secured RDP and other flaws used to enter the network and execute the malicious processes like file-locking and system changes.
Phobos ransomware developers varied their ransom notes, naming them Encrypted.txt and Data.hta. One of the latest messages states the following:
All your files have been encrypted due to security problem with your PC. If you want to restore them, write us to the email ofizducwell1988@aol.com
In case of no answer in 24 hour write us to theese emails: FobosAmerika@protonmail.ch
If there is no response from our mail, you can install the Jabber client and write to us in support of phobos_helper@xmpp.jp or phobos_helper@exploit.im
It seems like the virus is gaining success in receiving payments, as Phobos ransomware developers already received 3.5 BTC ($13,257 at the time of the writing) into their Bitcoin wallet.[6] It once again proves that the ransomware business model is extremely successful, and these types of infections will not go away anywhere. For that reason, using comprehensive security measures is a necessity.

Hackers behind Phobos ransomware warn victims that, in case the ransom is not paid within a specific period, the size will increase significantly. However, cybersecurity specialists do not recommend contacting criminals and following their instructions because it might result in money loss.
If you got infected with the virus, do not panic, stay calm, and focus on Phobos ransomware removal. Trojans and ransomware often operate together to proliferate even more malware on the machine. Thus, ransomware infection might not only damage your files but corrupt the system as well. These threats often install programs, files or other malware to ensure persistence.
However, you should not try to eliminate malware-related files manually. To remove Phobos ransomware safely and successfully, you have to obtain a reputable software and terminate the virus within several minutes. As soon as malware is eliminated, we suggest you scan the machine with FortectIntego as it can fix all the damage done by the Phobos virus.

Phobos ransomware versions
The virus that came out first in 2017 is known for cybersecurity researchers for a while now, so data encryption and other extortion- based functionalities are analyzed. It is believed that the malware mainly is distributed from Ukraine and that the developers mimic dome features from other crypto-malware. Since October 2017, this family expanded, and even though the virus mainly uses .phobos extension to mark the files there are more versions that users tend to think.
Phobos ransomware
The first Phobos virus distribution month up until February 2019, delivered versions with the same .phobos file marker and only changed the contact information or names of the ransom notes. All the first variants looked similar to the Dharma ransomware because of the ransom message delivered as a hta program window and containing the thorough instructions about the payment. The full file marker added to encrypted files includes victims' ID and a full email address besides the .phobos at the end.
These first versions had extensions with contact emails:
- job2019@tutanota.com
- Bad_boy700@aol.com
- cadillac.407@aol.com
- Everest_2010@aol.com
- raphaeldupon@aol.com
- paper_plane1@aol.com
- barcelona_100@aol.com
- elizabethz7cu1jones@aol.com
- beltoro905073@aol.com
- gomer_simpson2@aol.com
- ofizducwell1988@aol.com
- FobosAmerika@protonmail.ch
- phobos.encrypt@qq.com
- pixell@tutanota.com
- elizabeth67bysthompson@aol.com
- pixell@cock.li
The ransom note for these particular versions differs from Encrypted.tx, Data.hta and contained pretty much the same message. The only few differences were particular countries where the versions got released. January 2019 found versions were more spread in Brazil than other countries.
The later ransomware variants throughout these activity years, including this .phobos marker, also mixed up the ransom note file names between Info.txt, info.hta, and encrypted.txt.
Frendi ransomware
Frendi ransomware was the version that came out at the end of February 2019. This is the first version known to researchers that haven't marked files with the initial .phobos appendix. The particular file extension that lands on encoded files include the .frendi appendix and tlalipidas1978@aol.com contact email. The same email address also included as the name of the main executable with ransomware payload.
Later on, a few more .phobos versions got delivered and after that at the start of April additional Frendi virus variants with withdirimugh1982@aol.com contact email emerged.
Phoenix ransomware
.phoenix is a file extension that also appeared in multiple versions of the virus throughout the years. Like other versions, not much changed from the initial cryptovirus, this threat included a few different contact emails in the ransom notes and file markers. autrey.b@aol.com and Costelloh@aol.com, hickeyblair@aol.com are one of those. Ransom notes resembling Dharma family and marked with PHOBOS at the corner remained the same for years, while developers only changed the contact information and IDs per victim.
Actor ransomware
This .actor file appendix appeared once or twice in these Phobos virus campaigns, which is not common for the developers. One of these variants found in 2019, at the start of May, contained returnmefiles@aol.com on the file extension and delivered a text file name Encrypted.txt with a few sentences, as per usual. Although, the common HTA window was not delivered, according to some victims, this version was spotted at different times the same year with the same contact information.
Mamba ransomware
Mamba ransomware came out with a few distinct features and an alternate name of HDD Cryptor. This virus was more dangerous because at first, it started targeting large businesses and attacking victims to gain large amounts via ransoms up to 70 000$. This was one of the versions that exploit unprotected RDP to infect the machines. Contact emails for this particular version are known to be fileb@protonmail.com, back7@protonmail.ch.
Actin ransomware
The version that again targets more PC users and individual victims – Actin ransomware. This is one of many versions in this family, but the only one with the particular .actin file appendix. This threat also uses AES algorithm for the encryption process and demands victims to contact developers via kew07@qq.com to get their files back allegedly. All those claims shouldn't be trusted because these cybercriminals know what they are doing and they have no goal to help people. Actin virus also came out more than a few times and had different emails for each campaign, including upfileme@protonmail.com, thedecrypt111@qq.com.

Acton ransomware
The slightly changed version from the previously described one, Acton ransomware was one of the less repeated variants int his Phobos ransomware family. Delivering the same info.hta program window with the payment instructions and contact information this time threat leaves out a ransom text file. Data encrypted by the virus get extensions including datadecryption@countermail.com.
Adage ransomware
The more recent versions in Phobos ransomware started to get more unique names and file extensions. Virus developers occasionally release variants with the original .phobos, but June 2019, in particular, was the month of new ransomware releases. .adage virus file marker comes in the traditional pattern .id[XXXXXXXX -1096].[lockhelp@qq.com].acute common for all the versions in Phobos family since 2017.
ISO ransomware
In the year 2020 Phobos creators delivered many versions reusing extensions like .jelp, .devos, and .dewarmany times. One of the more prominent and much more spreads around becomes this ISO ransomware version that carries a full pattern on extension .id[XXXXXXX-2589].[backup.iso@aol.com].iso. It remains to place the hat window and text file on the system with random demands and instructions. Ransom note file info.txt and info.hta get placed on the desktop and in other folders. In those messages email and Telegram messaging app contact information get listed: backup.iso@aol.com, @iso_recovery.
Eking ransomware
Despite numerous variants released in 2020, Eking ransomware stands out from the crowd to persistence and considerably high infections rate. The virus has been reported by users of third-party torrenting websites who assured that the payload of the ransomware has been downloaded along with Adobe Acrobat crack. Upon installation, the ransomware appends [id].[decphob@tuta.io].eking file extension and uses either info.hta pop-up or info.txt text file as a ransom note. Both information pages provide decphob@tuta.io and decphob@protonmail.com emails that should be messaged for further instructions.
Distribution methods of the file-encrypting virus
The crypto-malware can get inside the device when a user clicks on a malicious link, opens, or downloads an infected file. The malware executable can be included in the email or presented as a useful program in various torrents or download sites. Thus, users have to be careful and avoid questionable content online.
- Never open spam emails and stay away from the attachments included into an email that is sent from unknown senders.
- Do not download illegal content.
- Stay away from pop-ups informing about available updates.
- Do not download software from untrusted or unauthorized sources.
- Install a reputable antivirus program.
- Keep all your programs updated.
Security experts from Norway[7] suggest creating backups and updating them regularly. Unfortunately, sometimes it’s impossible to decrypt files with third-party software. Therefore, having backups prevents data loss.
Phobos virus elimination guide
Trying to locate and wipe out malware-related files manually might end up with serious damage to the system. Therefore, we do not recommend risking to delete the wrong files. It’s better to dedicate Phobos ransomware removal for the professionals. We mean, you should obtain a reputable malware removal software, such as SpyHunterCombo Cleaner, or MalwarebytesMalwarebytes, and get rid of the cyber infection automatically.
However, ransomware might be resistant and block security programs. For this reason, you should reboot the computer to the Safe Mode with Networking first in order to remove Phobos ransomware virus entirely. You can find the instructions below for this method and other tips that may help termination malware fully.
Also, for files that Phobos ransomware virus may damage and corrupt, try FortectIntego or a PC repair tool, system optimization application. Such software can easily indicate affected or damaged files, programs, system functions, and even fox such damage automatically without triggering additional changes or alterations.
Was this guide helpful?
Be the first to comment