Phantom virus Removal Guide
What is Phantom ransomware?
Phantom virus is the threat that uses AES encryption algorithm and locks various files on the machine before marking them with .phantom
Phantom ransomware is the virus that cretaes the message worh money demands when files get locked. Phantom ransomware is the cryptovirus that can also be called the PhantomChina virus because it is focusing on Chinese-language. The threat was spotted at the start of 2020, but more variants with some different features were noticed in May and July yet again. Criminals behind the threat aim to affect devices of Chinese-speaking and English-speaking users, so the cryptovirus can be distributed all over the world.
Phantom ransomware or PhantomChina virus demands money for the locked files in the ransom note as a program window named !How_To_Decrypt_My_File_ 如何 解密 的 的 文件.hta. The message from criminals states that you can restore your encrypted files when you write the email for creators and provide your ID from the ransom note and other details needed to identify you. You shouldn't fall for these allegations and avoid getting in contact with these people.
|Targets||Chinese-speaking and English-speaking users in the world|
|Symptoms||The program affects machine by encoding original files and marking them with .phantom appendix that indicates affected files from safe pieces|
|Distribution||The threat comes from the internet when the person triggers a macro virus unknowingly or receives the payload file from the pirating software package or malicious website. The infection happens silently, so your files get encrypted right away|
|Ransom note||!How_To_Decrypt_My_File_ 如何 解密 的 的 文件.hta – program window that informs about the encryption procedures and provides contact information needed for the alleged decryption|
|Elimination||You should remove Phantom ransomware from the system and clear the machine properly with anti-malware tools. There is no better option for such an infection because security tools are designed to find all malicious files and programs automatically|
|Repair||The system gets affected significantly when files in the system folders get damaged or corrupted. Try to run ReimageIntego, and repair affected parts of the functioning|
Phantom ransomware is the virus that locks files using the encryption algorithm, so the reason for ransom demand is there. Money is pretty much the main goal of these criminals behind the threat, so you should stay away from keeping contact with virus developers.
There is no way to unlock files affected by Phantom ransomware virus because researchers haven't developed the decryption tool officially. Yet. It is not common nor quick to receive such a tool when the new threat like this comes out. You shouldn't wait for the program if you want to use the machine again. The best option and the solution is to run the AV tool and clear the system fully.
The message that PhantomChina creators deliver on the screen reads the following(it also comes in Chinese-language):
If you want to restore them, write us to the e-mail: firstname.lastname@example.org
Write this Your ID in the body of your message
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption test as guarantee !
Integrity is our principle!
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.)
Do not rename encrypted files !
Do not try to decrypt your data using third party software, it may cause permanent data loss !
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam !
Phantom ransomware payment that criminals require should be transferred in Bitcoin, but this activity is not safe for the user. Getting involved in any money transfers with criminals or even communication can lead to more significant damage or even installation of malware when you write the email via provided address (email@example.com).
Phantom ransomware - the cryptovirus that asks for a payment in cryptocurrency.
PhantomChina is the ransomware considered as one of the more dangerous computer infections because it can damage the machine since it gets to access the crucial parts of the system and damage those files significantly. This notorious virus can be distributed by hackers directly targeting systems with the aim to extort money from victims.
You need to remove Phantom ransomware instead of considering the payment option as the solution. There is no need to pay no matter how convincing the message sounds or how low the ransom amount is. Criminals are not worthy of your trust, especially such extortionists.
You cannot open those encrypted files, and after the process of Phantom ransomware removal, it is not going to be easier. Anti-malware tools are designed to find and terminate threats, malicious files, and programs, but not repair system files or recover from encryption.
Phantom virus is also known as PhantomChina ransomware.
PhantomChina virus-fighting options
There are some solutions for such threats that are focused on money extortion and system damage. Your infected machine needs some serious help when ransomware like Phantom files virus appears on the system. Experts recommend staying away from paying or contacting criminals, but file recovery is needed.
Antivirus tools are the ones that can terminate the malware for you and help to improve the performance after the infection. But you need a tool like ReimageIntego that could recover those system functions, tools, and programs corrupted by the ransomware. Remember that Phantom ransomware elimination is the first and the most important step.
You need to run an AV tool, remove the Phantom virus, then recover functions and affected programs with PC repair or optimization programs, and rely on data backups in regards to your encrypted files. You can try third-party programs, system options listed below, but the most reliable solution is file copies stored on the separate archive.
Terminate Phantom files virus from the system
There are no decryption options when it comes to Phantom ransomware virus because researchers haven't created the tool yet for such an infection. Anything related to such malware can be damaging because files and programs running int he background can be designed to trigger malicious processes.
You need to properly remove Phantom ransomware by running an anti-malware tool and allowing the program to check all the parts of the system. Tools like SpyHunter 5Combo Cleaner or Malwarebytes can find programs, files, associated intruders, and eliminate them automatically for you.
Then you only need to perform the second scan after Phantom ransomware removal that ensures the proper system performance. ReimageIntego or another PC repair/ system optimization tool can recover system functions and files corrupted by the threat. Then your machine is prepared for the file restoring procedures.
Getting rid of Phantom virus. Follow these steps
Manual removal using Safe Mode
Safe Mode can give you the opportunity to remove Phantom ransomware using the AV tool of your own
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove Phantom using System Restore
System Restore feature can act as a solution for malware removal
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Phantom. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove Phantom from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by Phantom, you can use several methods to restore them:
The method for file restoring – data recovery program
You can try this tool for encrypted files or even accidentally deleted data
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Phantom ransomware;
- Restore them.
Windows Previous Versions feature – option for individual files
When your files get encoded by the Phantom ransomware virus and you use System Restore as a method to fight it, you can rely on Windows Previous Versions and recover important files one by one
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer can help with encrypted files
Shadow Volume Copies, when untouched can be restored using ShadowExplorer
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Phantom ransomware decryptor tool is not released to the public yet
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Phantom and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.