Severity scale:  
  (92/100)

Remove Phantom ransomware (Virus Removal Guide) - Quick Decryption Solution

removal by Lucia Danes - - | Type: Ransomware

Phantom virus is the threat that uses AES encryption algorithm and locks various files on the machine before marking them with .phantom

Phantom ransomware Phantom ransomware is the cryptovirus that can also be called the PhantomChina virus because it is focusing on Chinese-language. The threat was spotted at the start of 2020, but more variants with some different features were noticed in May and July yet again. Criminals behind the threat aim to affect devices of Chinese-speaking and English-speaking users, so the cryptovirus can be distributed all over the world.

Phantom ransomware or PhantomChina virus demands money for the locked files in the ransom note as a program window named !How_To_Decrypt_My_File_ 如何 解密 的 的 文件.hta. The message from criminals states that you can restore your encrypted files when you write the email for creators and provide your ID from the ransom note and other details needed to identify you. You shouldn't fall for these allegations and avoid getting in contact with these people.[1] 

Name Phantom ransomware
Targets Chinese-speaking and English-speaking users in the world
Symptoms  The program affects machine by encoding original files and marking them with .phantom appendix that indicates affected files from safe pieces
Distribution  The threat comes from the internet when the person triggers a macro virus unknowingly or receives the payload file from the pirating software package or malicious website. The infection happens silently, so your files get encrypted right away
Ransom note !How_To_Decrypt_My_File_ 如何 解密 的 的 文件.hta – program window that informs about the encryption procedures and provides contact information needed for the alleged decryption
Elimination  You should remove Phantom ransomware from the system and clear the machine properly with anti-malware tools. There is no better option for such an infection because security tools are designed to find all malicious files and programs automatically
Repair The system gets affected significantly when files in the system folders get damaged or corrupted. Try to run Reimage Reimage Cleaner Intego, and repair affected parts of the functioning 

Phantom ransomware is the virus that locks files using the encryption algorithm,[2] so the reason for ransom demand is there. Money is pretty much the main goal of these criminals behind the threat, so you should stay away from keeping contact with virus developers. 

There is no way to unlock files affected by Phantom ransomware virus because researchers haven't developed the decryption tool officially. Yet. It is not common nor quick to receive such a tool when the new threat like this comes out. You shouldn't wait for the program if you want to use the machine again. The best option and the solution is to run the AV tool and clear the system fully.

The message that PhantomChina creators deliver on the screen reads the following(it also comes in Chinese-language):

If you want to restore them, write us to the e-mail: pianist6@protonmail.com
Write this Your ID in the body of your message
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption test as guarantee !

Integrity is our principle!
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.)
Attention !

Do not rename encrypted files !
Do not try to decrypt your data using third party software, it may cause permanent data loss !
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam !
Your ID:

Phantom ransomware payment that criminals require should be transferred in Bitcoin, but this activity is not safe for the user. Getting involved in any money transfers with criminals or even communication can lead to more significant damage or even installation of malware when you write the email via provided address (pianist6@protonmail.com).

Phantom ransomware virusPhantom ransomware - the cryptovirus that asks for a payment in cryptocurrency.

PhantomChina is the ransomware considered as one of the more dangerous computer infections because it can damage the machine since it gets to access the crucial parts of the system and damage those files significantly. This notorious virus can be distributed by hackers directly targeting systems with the aim to extort money from victims.

You need to remove Phantom ransomware instead of considering the payment option as the solution. There is no need to pay no matter how convincing the message sounds or how low the ransom amount is. Criminals are not worthy of your trust, especially such extortionists. 

You cannot open those encrypted files, and after the process of Phantom ransomware removal, it is not going to be easier. Anti-malware tools are designed to find and terminate threats, malicious files, and programs, but not repair system files or recover from encryption.

Phantom cryptovirusPhantom virus is also known as PhantomChina ransomware.

PhantomChina virus-fighting options 

There are some solutions for such threats that are focused on money extortion and system damage. Your infected machine needs some serious help when ransomware like Phantom files virus appears on the system. Experts[3] recommend staying away from paying or contacting criminals, but file recovery is needed.

Antivirus tools are the ones that can terminate the malware for you and help to improve the performance after the infection. But you need a tool like Reimage Reimage Cleaner Intego that could recover those system functions, tools, and programs corrupted by the ransomware. Remember that Phantom ransomware elimination is the first and the most important step.

You need to run an AV tool, remove the Phantom virus, then recover functions and affected programs with PC repair or optimization programs, and rely on data backups in regards to your encrypted files. You can try third-party programs, system options listed below, but the most reliable solution is file copies stored on the separate archive.

Terminate Phantom files virus from the system

There are no decryption options when it comes to Phantom ransomware virus because researchers haven't created the tool yet for such an infection. Anything related to such malware can be damaging because files and programs running int he background can be designed to trigger malicious processes. 

You need to properly remove Phantom ransomware by running an anti-malware tool and allowing the program to check all the parts of the system. Tools like SpyHunter 5Combo Cleaner or Malwarebytes can find programs, files, associated intruders, and eliminate them automatically for you.

Then you only need to perform the second scan after Phantom ransomware removal that ensures the proper system performance. Reimage Reimage Cleaner Intego or another PC repair/ system optimization tool can recover system functions and files corrupted by the threat. Then your machine is prepared for the file restoring procedures.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Phantom virus, follow these steps:

Remove Phantom using Safe Mode with Networking

Safe Mode can give you the opportunity to remove Phantom ransomware using the AV tool of your own

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Phantom

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Phantom removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Phantom using System Restore

System Restore feature can act as a solution for malware removal

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Phantom. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Phantom removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Phantom from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Phantom, you can use several methods to restore them:

The method for file restoring – data recovery program

You can try this tool for encrypted files or even accidentally deleted data

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Phantom ransomware;
  • Restore them.

Windows Previous Versions feature – option for individual files

When your files get encoded by the Phantom ransomware virus and you use System Restore as a method to fight it, you can rely on Windows Previous Versions and recover important files one by one

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer can help with encrypted files

Shadow Volume Copies, when untouched can be restored using ShadowExplorer

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Phantom ransomware decryptor tool is not released to the public yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Phantom and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References

Your opinion regarding Phantom ransomware