Severity scale:  

Remove Phantom ransomware (Virus Removal Guide) - Quick Decryption Solution

removal by Lucia Danes - - | Type: Ransomware

Phantom virus is the threat that uses AES encryption algorithm and locks various files on the machine before marking them with .phantom

Phantom ransomware Phantom ransomware is the cryptovirus that can also be called the PhantomChina virus because it is focusing on Chinese-language. The threat was spotted at the start of 2020, but more variants with some different features were noticed in May and July yet again. Criminals behind the threat aim to affect devices of Chinese-speaking and English-speaking users, so the cryptovirus can be distributed all over the world.

Phantom ransomware or PhantomChina virus demands money for the locked files in the ransom note as a program window named !How_To_Decrypt_My_File_ 如何 解密 的 的 文件.hta. The message from criminals states that you can restore your encrypted files when you write the email for creators and provide your ID from the ransom note and other details needed to identify you. You shouldn't fall for these allegations and avoid getting in contact with these people.[1] 

Name Phantom ransomware
Targets Chinese-speaking and English-speaking users in the world
Symptoms  The program affects machine by encoding original files and marking them with .phantom appendix that indicates affected files from safe pieces
Distribution  The threat comes from the internet when the person triggers a macro virus unknowingly or receives the payload file from the pirating software package or malicious website. The infection happens silently, so your files get encrypted right away
Ransom note !How_To_Decrypt_My_File_ 如何 解密 的 的 文件.hta – program window that informs about the encryption procedures and provides contact information needed for the alleged decryption
Elimination  You should remove Phantom ransomware from the system and clear the machine properly with anti-malware tools. There is no better option for such an infection because security tools are designed to find all malicious files and programs automatically
Repair The system gets affected significantly when files in the system folders get damaged or corrupted. Try to run ReimageIntego, and repair affected parts of the functioning 

Phantom ransomware is the virus that locks files using the encryption algorithm,[2] so the reason for ransom demand is there. Money is pretty much the main goal of these criminals behind the threat, so you should stay away from keeping contact with virus developers. 

There is no way to unlock files affected by Phantom ransomware virus because researchers haven't developed the decryption tool officially. Yet. It is not common nor quick to receive such a tool when the new threat like this comes out. You shouldn't wait for the program if you want to use the machine again. The best option and the solution is to run the AV tool and clear the system fully.

The message that PhantomChina creators deliver on the screen reads the following(it also comes in Chinese-language):

If you want to restore them, write us to the e-mail:
Write this Your ID in the body of your message
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption test as guarantee !

Integrity is our principle!
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.)
Attention !

Do not rename encrypted files !
Do not try to decrypt your data using third party software, it may cause permanent data loss !
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam !
Your ID:

Phantom ransomware payment that criminals require should be transferred in Bitcoin, but this activity is not safe for the user. Getting involved in any money transfers with criminals or even communication can lead to more significant damage or even installation of malware when you write the email via provided address (

Phantom ransomware virusPhantom ransomware - the cryptovirus that asks for a payment in cryptocurrency.

PhantomChina is the ransomware considered as one of the more dangerous computer infections because it can damage the machine since it gets to access the crucial parts of the system and damage those files significantly. This notorious virus can be distributed by hackers directly targeting systems with the aim to extort money from victims.

You need to remove Phantom ransomware instead of considering the payment option as the solution. There is no need to pay no matter how convincing the message sounds or how low the ransom amount is. Criminals are not worthy of your trust, especially such extortionists. 

You cannot open those encrypted files, and after the process of Phantom ransomware removal, it is not going to be easier. Anti-malware tools are designed to find and terminate threats, malicious files, and programs, but not repair system files or recover from encryption.

Phantom cryptovirusPhantom virus is also known as PhantomChina ransomware.

PhantomChina virus-fighting options 

There are some solutions for such threats that are focused on money extortion and system damage. Your infected machine needs some serious help when ransomware like Phantom files virus appears on the system. Experts[3] recommend staying away from paying or contacting criminals, but file recovery is needed.

Antivirus tools are the ones that can terminate the malware for you and help to improve the performance after the infection. But you need a tool like ReimageIntego that could recover those system functions, tools, and programs corrupted by the ransomware. Remember that Phantom ransomware elimination is the first and the most important step.

You need to run an AV tool, remove the Phantom virus, then recover functions and affected programs with PC repair or optimization programs, and rely on data backups in regards to your encrypted files. You can try third-party programs, system options listed below, but the most reliable solution is file copies stored on the separate archive.

Terminate Phantom files virus from the system

There are no decryption options when it comes to Phantom ransomware virus because researchers haven't created the tool yet for such an infection. Anything related to such malware can be damaging because files and programs running int he background can be designed to trigger malicious processes. 

You need to properly remove Phantom ransomware by running an anti-malware tool and allowing the program to check all the parts of the system. Tools like SpyHunter 5Combo Cleaner or Malwarebytes can find programs, files, associated intruders, and eliminate them automatically for you.

Then you only need to perform the second scan after Phantom ransomware removal that ensures the proper system performance. ReimageIntego or another PC repair/ system optimization tool can recover system functions and files corrupted by the threat. Then your machine is prepared for the file restoring procedures.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Phantom virus, follow these steps:

Remove Phantom using Safe Mode with Networking

Safe Mode can give you the opportunity to remove Phantom ransomware using the AV tool of your own

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Phantom

    Log in to your infected account and start the browser. Download ReimageIntego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Phantom removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Phantom using System Restore

System Restore feature can act as a solution for malware removal

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Phantom. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with ReimageIntego and make sure that Phantom removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Phantom from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Phantom, you can use several methods to restore them:

The method for file restoring – data recovery program

You can try this tool for encrypted files or even accidentally deleted data

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Phantom ransomware;
  • Restore them.

Windows Previous Versions feature – option for individual files

When your files get encoded by the Phantom ransomware virus and you use System Restore as a method to fight it, you can rely on Windows Previous Versions and recover important files one by one

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer can help with encrypted files

Shadow Volume Copies, when untouched can be restored using ShadowExplorer

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Phantom ransomware decryptor tool is not released to the public yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Phantom and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions


Your opinion regarding Phantom ransomware