Phantom ransomware (Virus Removal Guide) - Quick Decryption Solution

Phantom virus Removal Guide

What is Phantom ransomware?

Phantom virus is the threat that uses AES encryption algorithm and locks various files on the machine before marking them with .phantom

Phantom ransomware Phantom ransomware is the virus that cretaes the message worh money demands when files get locked. Phantom ransomware is the cryptovirus that can also be called the PhantomChina virus because it is focusing on Chinese-language. The threat was spotted at the start of 2020, but more variants with some different features were noticed in May and July yet again. Criminals behind the threat aim to affect devices of Chinese-speaking and English-speaking users, so the cryptovirus can be distributed all over the world.

Phantom ransomware or PhantomChina virus demands money for the locked files in the ransom note as a program window named !How_To_Decrypt_My_File_ 如何 解密 的 的 文件.hta. The message from criminals states that you can restore your encrypted files when you write the email for creators and provide your ID from the ransom note and other details needed to identify you. You shouldn't fall for these allegations and avoid getting in contact with these people.[1]

Name Phantom ransomware
Targets Chinese-speaking and English-speaking users in the world
Symptoms The program affects machine by encoding original files and marking them with .phantom appendix that indicates affected files from safe pieces
Distribution The threat comes from the internet when the person triggers a macro virus unknowingly or receives the payload file from the pirating software package or malicious website. The infection happens silently, so your files get encrypted right away
Ransom note !How_To_Decrypt_My_File_ 如何 解密 的 的 文件.hta – program window that informs about the encryption procedures and provides contact information needed for the alleged decryption
Elimination You should remove Phantom ransomware from the system and clear the machine properly with anti-malware tools. There is no better option for such an infection because security tools are designed to find all malicious files and programs automatically
Repair The system gets affected significantly when files in the system folders get damaged or corrupted. Try to run FortectIntego, and repair affected parts of the functioning

Phantom ransomware is the virus that locks files using the encryption algorithm,[2] so the reason for ransom demand is there. Money is pretty much the main goal of these criminals behind the threat, so you should stay away from keeping contact with virus developers.

There is no way to unlock files affected by Phantom ransomware virus because researchers haven't developed the decryption tool officially. Yet. It is not common nor quick to receive such a tool when the new threat like this comes out. You shouldn't wait for the program if you want to use the machine again. The best option and the solution is to run the AV tool and clear the system fully.

The message that PhantomChina creators deliver on the screen reads the following(it also comes in Chinese-language):

If you want to restore them, write us to the e-mail:
Write this Your ID in the body of your message
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption test as guarantee !

Integrity is our principle!
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.)
Attention !

Do not rename encrypted files !
Do not try to decrypt your data using third party software, it may cause permanent data loss !
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam !
Your ID:

Phantom ransomware payment that criminals require should be transferred in Bitcoin, but this activity is not safe for the user. Getting involved in any money transfers with criminals or even communication can lead to more significant damage or even installation of malware when you write the email via provided address (

Phantom ransomware virusPhantom ransomware - the cryptovirus that asks for a payment in cryptocurrency.

PhantomChina is the ransomware considered as one of the more dangerous computer infections because it can damage the machine since it gets to access the crucial parts of the system and damage those files significantly. This notorious virus can be distributed by hackers directly targeting systems with the aim to extort money from victims.

You need to remove Phantom ransomware instead of considering the payment option as the solution. There is no need to pay no matter how convincing the message sounds or how low the ransom amount is. Criminals are not worthy of your trust, especially such extortionists.

You cannot open those encrypted files, and after the process of Phantom ransomware removal, it is not going to be easier. Anti-malware tools are designed to find and terminate threats, malicious files, and programs, but not repair system files or recover from encryption.

Phantom cryptovirusPhantom virus is also known as PhantomChina ransomware.

PhantomChina virus-fighting options

There are some solutions for such threats that are focused on money extortion and system damage. Your infected machine needs some serious help when ransomware like Phantom files virus appears on the system. Experts[3] recommend staying away from paying or contacting criminals, but file recovery is needed.

Antivirus tools are the ones that can terminate the malware for you and help to improve the performance after the infection. But you need a tool like FortectIntego that could recover those system functions, tools, and programs corrupted by the ransomware. Remember that Phantom ransomware elimination is the first and the most important step.

You need to run an AV tool, remove the Phantom virus, then recover functions and affected programs with PC repair or optimization programs, and rely on data backups in regards to your encrypted files. You can try third-party programs, system options listed below, but the most reliable solution is file copies stored on the separate archive.

Terminate Phantom files virus from the system

There are no decryption options when it comes to Phantom ransomware virus because researchers haven't created the tool yet for such an infection. Anything related to such malware can be damaging because files and programs running int he background can be designed to trigger malicious processes.

You need to properly remove Phantom ransomware by running an anti-malware tool and allowing the program to check all the parts of the system. Tools like SpyHunter 5Combo Cleaner or Malwarebytes can find programs, files, associated intruders, and eliminate them automatically for you.

Then you only need to perform the second scan after Phantom ransomware removal that ensures the proper system performance. FortectIntego or another PC repair/ system optimization tool can recover system functions and files corrupted by the threat. Then your machine is prepared for the file restoring procedures.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Phantom virus. Follow these steps

Manual removal using Safe Mode

Safe Mode can give you the opportunity to remove Phantom ransomware using the AV tool of your own

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Phantom using System Restore

System Restore feature can act as a solution for malware removal

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Phantom. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Phantom removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Phantom from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Phantom, you can use several methods to restore them:

The method for file restoring – data recovery program

You can try this tool for encrypted files or even accidentally deleted data

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Phantom ransomware;
  • Restore them.

Windows Previous Versions feature – option for individual files

When your files get encoded by the Phantom ransomware virus and you use System Restore as a method to fight it, you can rely on Windows Previous Versions and recover important files one by one

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer can help with encrypted files

Shadow Volume Copies, when untouched can be restored using ShadowExplorer

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Phantom ransomware decryptor tool is not released to the public yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Phantom and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions