ACTOR ransomware (Easy Removal Guide) - Recovery Instructions Included

ACTOR virus Removal Guide

What is ACTOR ransomware?

ACTOR ransomware is malware that belongs to Phobos cryptovirus family

Actor ransomwareActor ransomware is file locking virus that belongs to Phobos family

ACTOR ransomware is a files virus that was first spotted in May 2019, although numerous variants were released after that, each of which is providing different contact addresses. The virus belongs to the family of Phobos ransomware, and usually is injected manually after a successful RDP attack.[1] Upon infiltration, ACTOR ransomware scans the machine for encryptable files, such as pictures, music, videos, documents, etc., and locks them with a secure AES encryption[2] algorithm.

From that point, none of the data on the local and networked drives are accessible. Likewise, each of the files receives a marker – .actor, although there is also the victim's ID and the associated email added after the original name of the file. For example, a locked file would look as follows: picture.jpg.[6R741B00-2224].[].actor. Typically, the virus also drops two ransom notes – a brief one info.txt and Info.hta, which explains to victims how to proceed next in order to retrieve the ACTOR ransomware decryption tool.

As it is typical with Phobos variants, ACTOR virus does not provide ransom amount, and users are urged to contact hackers via email to negotiate the payment in Bitcoin. However, contacting cybercriminals is not recommended, as there is a chance of being scammed.

Name ACTOR ransomware
Type Cryptovirus, file locking malware
Family Phobos
Main targets Malware primary targets public entities and companies by utilizing poorly protected RDP connections
File extension Each of the non-system and non-executable files receive .actor appendix. However, Phobos is known to use more complicated file name modifications, which consist of an ID and a contact email
Ransom note

Two ransom notes are placed on the desktop and each of the infected files folders: info.txt and Info.hta


There has been multiple Actor virus variants released, and they provide the following contact emails:

File decryption There is no decryption tool available, so the only safe way to retrieve data is via backups. However, it is worth trying using third-party recovery software if there is are no backups available. Paying criminals is risky, as there is no guarantee that they will send a working ACTOR ransomware decryptor
Malware removal Employ reputable anti-malware software to get rid of ransomware. Accessing Safe Mode with Networking can be useful as well, as malware might be programmed to hinder its removal
System recovery If you experience system crashes or errors after malware elimination, use PC repair software FortectIntego

Since ACTOR ransomware is a variant of Phobos, it is very likely that its main targets are public companies that are accessed via poorly protected or unprotected Remote Desktop ports. Once hackers break-in, they can install malware manually, as well as perform other actions as required (for example, they can disable security solutions altogether).

Many ransomware viruses might self delete after encryption is performed. However, there is no guarantee for that, so it is important to check the computer with anti-malware software. Note that ACTOR ransomware might be spread with the help of a backdoor, which might be able to perform other malicious functions, such as keystroke logging. Thus, make sure you pick a reliable anti-malware software to remove ACTOR ransomware promptly. Currently, multiple AVs recognize the virus as follows:[3]

  • Trojan.Ransom.Phobos.E
  • Win/malicious_confidence_80% (W)
  • Trojan:Win32/Tiggre!rfn
  • A Variant Of Win32/Injector.EGEN
  • Artemis!C622680D31E3
  • HEUR:Trojan-PSW.Win32.Agent.gen, etc.

Once the system is infected, the Actor virus attempts to delete Shadow Volume Copies and disable System restore features. Additionally, the malware also modifies the Windows registry to increase its persistence. As a result, restoring encrypted data becomes much more complicated.

Data encryption process renders all personal files useless, and victims are presented with a ransom note which explains:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail
Write this ID in the title of your message
In case of no answer in 24 hours write us to this
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

We suggest you do not agree to fulfill hackers' demands and instead try alternative data redemption methods. While Phobos ransomware family is still not decryptable, there is a possibility that security researchers might discover vulnerabilities within the code and release a free ACTOR ransomware decryptor in the future.

Actor ransomware virusActor ransomware is a type of virus that targets Windows machines and encrypts all user data on them, as well as all the connected networks

Note that, before you perform ACTOR ransomware removal, you should first backup all your encrypted data, as the process might damage it beyond repair. Then access Safe Mode with Networking and scan your machine with anti-malware software. Finally, to remediate the Windows system, we suggest using FortectIntego.

Protect yourself from getting infected with ransomware

Malware developers are sophisticated individuals who chose to use their intelligence for malicious deeds. For that reason, they always seek ways to improve the malware and infect as many victims as possible to have a chance at a bigger payout from the victims. In most of the cases, hackers use several ransomware distribution methods, although some groups choose to stick to one or two.

Currently, ransomware that targets organizations is mostly being imported via targeted phishing emails or RDP attacks. Because threat actors can ask companies for larger ransom sums, they are willing to put in the effort to dig up the required credentials or contact as well as the names of the employees.

Regardless of what malware developers choose as their primary malware distribution method, companies (as well as regular computer users) can repel malware attacks by following these simple security tips from industry experts:[4]

  • Implement and comprehensive security software with real-time protection feature;
  • Always install the latest Windows and other software updates as soon as they are out;
  • Protect the Remote Desktop services wit ha strong password and never use default TCP/UDP port 3389;
  • Prepare and maintain data backups;
  • Do not open spam email attachments that ask you to enable macro feature;
  • Watch out for hyperlinks inside suspicious emails;
  • Never download pirated software or keygens/cracks/loaders, etc.;
  • use strong passwords for all your accounts.

Actor ransomware encrypted filesActor ransomware might leave the files useless forever - especially if no backups are available

Get rid of ACTOR ransomware

You should not rush ACTOR ransomware removal, as it might permanently damage all your files located on the local and networked drives. Thus, before you do anything, you should first copy all the encrypted data to the external HDD, USB stick, or a remote cloud server. Once that is done, you should then perform a full system scan with anti-malware software, such as SpyHunter 5Combo Cleaner or Malwarebytes. If that does not work, it might be that the ransomware is tampering with the anti-malware program. In such a case, access Safe Mode with Networking and perform a full scan from there.

Once you remove ACTOR ransomware, you can then attempt to recover your data. As we explained before, without paying hackers, chances of restoring encrypted files are relatively low. However, it does not mean you should pay criminals, as you might end up losing not only your files but also your money. Instead, you could try our methods provided below.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of ACTOR virus. Follow these steps

Manual removal using Safe Mode

Access Safe Mode with networking if your anti-malware software is not working properly due to the ransomware infection:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove ACTOR using System Restore

System Restore can also be used in order to delete the malicious files from the system:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of ACTOR. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that ACTOR removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove ACTOR from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by ACTOR, you can use several methods to restore them:

You can try using Data Recovery Pro for data restoration

If you did not use your PC much after the infection, you might be able to restore at least some portion of your files with Data Recovery Pro.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by ACTOR ransomware;
  • Restore them.

Windows Previous Versions feature might work

This method will only work if you had System Restore feature enabled.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Make use of ShadowExplorer

ShadowExplorer might recover all your files encrypted by ACTOR ransomware, as long as Shadow Volume Copies were not deleted during the infection process.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from ACTOR and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions