LIZARD (Phobos) ransomware (virus) - Free Guide

What is LIZARD (Phobos) ransomware?

LIZARD (Phobos) is a ransomware-type virus that encrypts all files and then tries to extort money from victims

LIZARD (Phobos) ransomware detection list

The main goal of LIZARD (Phobos) virus is to extort money from users after encrypting all files. As soon as the encryption of pictures, videos, documents, databases, and other personal data is finished (files acquire [ID].[r3wuq@tuta.io].LIZARD extension), malware delivers two ransom notes info.hta and info.txt, which explains to victims that they need to contact cybercriminals to via Telegram (@Online7_365) or r3wuq@tuta.io email in order to make the files usable again.

LIZARD ransomware was first spotted in the wild in the middle of June 2022. As the title suggests, it's a variant of an extended malware known as Phobos, which has been around for at least half a decade by now. Previous variants of the strain we already covered are Elbie, GUCCI, XHAMSTER, and many others. While they don't differ much, the contact information and a few other details vary.

The ransom note

The ransom note is the first communication between the attacks and victims, which is why crooks always ensure that it is delivered as soon as the encryption process is finished. The main goal of cybercriminals is to increase the number of users who would pay a ransom, and the only way to do so is to ensure that they have contact information.

The LIZARD virus belongs to the Phobos family – ransomware that has been around for many years now, and it always delivers a couple of ransom messages – a brief one enclosed in a TXT file and an extended message that provides much more details about the whole thing. It reads the following:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail r3wuq@tuta.io
Write this ID in the title of your message
If you do not receive a response within 24 hours, please contact us by Telegram.org account: @Online7_365
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

We do not recommend paying or even contacting cybercriminals, as they may never fulfill their promises and not send you the decryptor even after the payment is made. You are better off making copies of your encrypted files and then attempting to restore them using data recovery software, or waiting for a decryption tool for this Phobos variant.

LIZARD ransomware delvers two ransom notes - one n TXT format and the other cone shows up in a pop-up window

Malware removal

Ransomware victims are often confused about what they should do next after being infected. Indeed, most infected users are first-time victims, and some don't even know what ransomware is. Indeed, it is important to perform malware removal and data recovery in the correct way; otherwise, the whole remediation might fail and result in even more damage.

As soon as malware gains access to the system, it may establish a connection with a remote Command & Control server. This allows cybercriminals to send additional commands to malware to perform, update it, or even deliver additional payloads. Thus, it is extremely important to disconnect your computer from the internet (as well as the network, if applicable) before proceeding with LIZARD (Phobos) virus removal.

• Type in Control Panel in Windows search and press Enter
• Go to Network and Internet
• Click Network and Sharing Center
• On the left, pick Change adapter settings
• Right-click on your connection (for example, Ethernet), and select Disable
• Confirm with Yes.

Once your system is disconnected from the device, you can then perform a full system scan with SpyHunter 5Combo Cleaner, Malwarebytes, or another powerful security software to eliminate the infection. While it is true that ransomware can often self-destruct after performing its job of data encryption, it might not always be the case. Ransomware is often propagated along with other computer infections (mostly data-stealing Trojans), which can cause additional damage to privacy and computer security.

Fix damaged system files

After malware infection, Windows is no longer the same, as some system files might get damaged or even destroyed. This can result in system instability – crashes, failure to launch programs, BSODs,^[1] and many other issues. If you are suffering from these problems after eliminating the infection, use data recovery software as explained below.

• Download FortectIntego
• Click on the ReimageRepair.exe
  
  
• If User Account Control (UAC) shows up, select Yes
• Press Install and wait till the program finishes the installation process
• The analysis of your machine will begin immediately
• Once complete, check the results – they will be listed in the Summary
• You can now click on each of the issues and fix them manually
• If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.

Alternative file recovery methods explained

The final step is to recover the locked files without paying cybercriminals. Users often misunderstand how data encryption works or know nothing about it. Some people believe that they can restore them as soon as they scan their computer with anti-virus or that their files are permanently corrupted as soon as they get encrypted – none of these are true.

The truth is that encryption algorithm such as AES or RSA,^[2] or a combination of those if applied correctly, is extremely secure and can't be broken even by the most sophisticated supercomputers. At the same time, it does not mean that the data affected is corrupted – it simply needs a unique key, which is held on the attacker's servers.

Preparing the backups of your personal files is the best way to mitigate ransomware attacks. If you have not prepared backups, restoring LIZARD ransomware-encrypted data may be very difficult. Without backups, you can either use data recovery software or wait for a decryptor to be ready. Note that if you don't have working backups, you should make copies of encrypted files not to corrupt them during the recovery process.

• Download Data Recovery Pro.
• Double-click the installer to launch it.
  
• Follow on-screen instructions to install the software.
• As soon as you press Finish, you can use the app.
• Select Everything or pick individual folders which you want the files to be recovered from.
• Press Next.
• At the bottom, enable Deep scan and pick which Disks you want to be scanned.
• Press Scan and wait till it is complete.
• You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
• Press Recover to retrieve your files.

Decryption tools might also be created for certain ransomware strains thanks to the efforts of security researchers. In some cases, law authorities seize the servers of malicious actors,^[3] which allows the keys to be released by the public – reputable security vendors usually do this. Here are a few links you might find helpful:

• No More Ransom Project
• Free Ransomware Decryptors by Kaspersky
• Free Ransomware Decryption Tools from Emsisoft
• Avast decryptors