Severity scale:  
  (97/100)

Remove Phobos ransomware / virus (Virus Removal Instructions) - updated Jul 2019

removal by Jake Doevan - - | Type: Ransomware

Phobos ransomware is the dangerous cryptovirus that spreads around as a processhacker-2.39-setup.exe executable

Phobos ransomware virus ransom note
Phobos ransomware is a file locker that first emerged in 2017. Nevertheless, malware came back a year later with two new variants.

Phobos ransomware is a cryptovirus that resembles a large Dharma family and was discovered by security researchers back in October 2017. Since its initial release, malware went under the radar for more than a year, until new variants started emerging at the end of 2018 and 2019. Initial infection used .[ID].[email].PHOBOS file extension and a Phobos.hta note asking victims to email virus developers via OttoZimmerman@protonmail.ch to find out the amount of ransom that needs to be paid in order to retrieve access to locked data.

Later versions kept the extension .phobos, but used different contact addresses, along with the composite extension. The most recent contact emails changed to ofizducwell1988@aol.com and fobosAmerika@protonmail.ch. Currently, Phobos virus is actively attacking users all around the world, asking for as much as $5,000 ransom in return for the decryptor. It still remains active in summer 2019 – the more recent versions are Actin ransomware and Mamba ransomware.

Name Phobos
Type Ransomware
Known since 2017
Versions of extensions in the same family .actin, .actor, .mamba, .phoenix, .acton, .frendi, .adage, .acute, etc
File extensions [ID].[OttoZimmerman@protonmail.ch].PHOBOS, [ID].[Job2019@tutanota.com].phobos, [ID].[Cadillac.407@aol.com].phobos, [ID][Raphaeldupon@aol.com].phobos, [ID].[Gomer_simpson2@aol.com].phobos, [ID].[ofizducwell1988@aol.com].phobos,
etc.
Encryption algorithm  AES
Executable processhacker-2.39-setup.exe
Ransom demand Varies, can reach up to $5,000 or even $70 000 when the target is large business or company. The amount increases after 6 hours
Main dangers Data loss, money loss, system compromise, malwar einfiltration
Distribution Infected files as attachments on legitimate-looking emails
Elimination Perform a scan with Reimage to remove Phobos ransomware and the possible damage caused by the virus

Phobos ransomware virus mostly spreads via malicious spam emails[1] or fake installers[2] (processhacker-2.39-setup.exe) for applications like Process Hacker 2. Once inside the computer, it starts scanning the system, targeting the predetermined file extensions.

The malware encrypts various pictures, multimedia, images, documents, and even databases or other data using AES cryptography.[3] Thus, files locked by Phobos ransomware cannot be opened without a specific decryption tool.

In the Phobos virus ransom note, criminals explain that the information stored on the affected computer was “turned into a useless binary code.” In order to make victims to follow the ransom payment instructions, crooks tell that other third-party data recovery services will not help them.

However, they might take the money and disappear. Though, this situation is most likely to happen if you contact and transfer the money to authors of the Phobos ransomware virus. Cybercriminals are not eager to help you because the only focus is getting money from the victims.

Over the course of December 2018 and February 2019, hackers released numerous new variants, which use different emails, including:

  • Job2019@tutanota.com
  • Bad_boy700@aol.com
  • Cadillac.407@aol.com
  • Everest_2010@aol.com
  • Raphaeldupon@aol.com
  • paper_plane1@aol.com
  • barcelona_100@aol.com
  • elizabethz7cu1jones@aol.com
  • beltoro905073@aol.com
  • Raphaeldupon@aol.com
  • Gomer_simpson2@aol.com
  • ofizducwell1988@aol.com
  • FobosAmerika@protonmail.ch

2019 came with even more news about Phobos virus because the ransomware started exploiting weak security to attack users all over the world.[4] It also targets businesses and large companies since these attacks ensure bigger profit from a single victim.[5] Badly secured RDP and other flaws used to enter the network and execute the malicious processes like file-locking and system changes. 

Phobos ransomware developers varied their ransom notes, naming them Encrypted.txt and Data.hta. One of the latest messages states the following:

All your files have been encrypted due to security problem with your PC. If you want to restore them, write us to the email ofizducwell1988@aol.com

In case of no answer in 24 hour write us to theese emails: FobosAmerika@protonmail.ch
If there is no response from our mail, you can install the Jabber client and write to us in support of phobos_helper@xmpp.jp or phobos_helper@exploit.im

It seems like the virus is gaining success of receiving payments, as Phobos ransomware developers already received 3.5 BTC ($13,257 at the time of the writing) into their Bitcoin wallet.[6] It once again proves that the ransomware business model is extremely successful, and these type of infections will not go away anywhere. For that reason, using comprehensive security measures is a necessity.

Phobos ransomware - new variants
Phobos developers started actively releasing new variants in December 2018.

Hackers behind Phobos ransomware warn victims that, in case the ransom is not paid within a specific period, the size will increase significantly. However, cybersecurity specialists do not recommend contacting criminals and following their instructions because it might result in money loss.

If you got infected with the virus, do not panic, stay calm and focus on Phobos ransomware removal. Trojans and ransomware often operate together to proliferate even more malware on the machine. Thus, ransomware infection might not only damage your files but corrupt the system as well. These threats often install programs, files or other malware to ensure the persistence.

However, you should not try to eliminate malware-related files manually. To remove Phobos ransomware safely and successfully, you have to obtain a reputable software and terminate the virus within several minutes. As soon as malware is eliminated, we suggest you scan the machine with Reimage as it can fix all the damage done by Phobos virus.

Phobos ransomware file locking virus
Phobos ransomware comes out with versions more dangerous than previous ones.

Phobos ransomware versions

The virus that came out first in 2017 is known for cybersecurity researchers for a while now, so data encryption and other extortion- based functionalities are analyzed. It is believed that the malware mainly is distributed from Ukraine and that the developers mimic dome features from other crypto malware. Since October 2017, this family expanded and even though the virus mainly uses .phobos extension to mark the files there are more versions that users tend to think.

Phobos ransomware

The first Phobos virus distribution month up until February 2019, delivered versions with the same .phobos file marker and only changed the contact information or names of the ransom notes. All the first variants looked similar to the Dharma ransomware because of the ransom message delivered as a hta program window and containing the thorough instructions about the payment. The full file marker added to encrypted files includes victims' ID and a full email address besides the .phobos at the end.

These first versions had extensions with contact emails:

  • job2019@tutanota.com
  • Bad_boy700@aol.com
  • cadillac.407@aol.com
  • Everest_2010@aol.com
  • raphaeldupon@aol.com
  • paper_plane1@aol.com
  • barcelona_100@aol.com
  • elizabethz7cu1jones@aol.com
  • beltoro905073@aol.com 
  • gomer_simpson2@aol.com
  • ofizducwell1988@aol.com
  • FobosAmerika@protonmail.ch 
  • phobos.encrypt@qq.com
  • pixell@tutanota.com
  • elizabeth67bysthompson@aol.com
  • pixell@cock.li

The ransom note for these particular versions differs from Encrypted.tx, Data.hta and contained pretty much the same message. The only few differences were particular countries where the versions got released. January 2019 found versions were more spread in Brazil than other countries. 

The later ransomware variants throughout these activity years, including this .phobos marker, also mixed up the ransom note file names between Info.txt, info.hta, and encrypted.txt. 

Frendi ransomware

Frendi ransomware was the version that came out at the end of February 2019. This is the first version known to researchers that haven't marked files with the initial .phobos appendix. The particular file extension that lands on encoded files include the .frendi appendix and tlalipidas1978@aol.com contact email. The same email address also included as the name of the main executable with ransomware payload.

Later on, a few more .phobos versions got delivered and after that at the start of April additional Frendi virus variants with withdirimugh1982@aol.com contact email emerged. 

Phoenix ransomware

.phoenix is a file extension that also appeared in multiple versions of the virus throughout the years. Like other versions, not much changed from the initial cryptovirus, this threat included a few different contact emails in the ransom notes and file markers. autrey.b@aol.com and Costelloh@aol.com, hickeyblair@aol.com are one of those. Ransom notes resembling Dharma family and marked with PHOBOS at the corner remained the same for years, while developers only changed the contact information and IDs per victim.

Actor ransomware

This .actor file appendix appeared once or twice in these Phobos virus campaigns, which is not common for the developers. One of these variants found in 2019, at the start of May, contained returnmefiles@aol.com on the file extension and delivered a text file name Encrypted.txt with a few sentences, as per usual. Although, the common HTA window was not delivered, according to some victims, this version was spotted at different times the same year with the same contact information.

Mamba ransomware

Mamba ransomware came out with a few distinct features and an alternate name of HDD Cryptor. This virus was more dangerous because at first, it started targeting large businesses and attacking victims to gain large amounts via ransoms up to 70 000$. This was one of the versions that exploit unprotected RDP to infect the machines. Contact emails for this particular version are known to be fileb@protonmail.com, back7@protonmail.ch.

Actin ransomware

The version that again targets more PC users and individual victims –  Actin ransomware. This is one of many versions in this family, but the only one with the particular .actin file appendix. This threat also uses AES algorithm for the encryption process and demands victims to contact developers via kew07@qq.com to get their files back allegedly. All those claims shouldn't be trusted because these cybercriminals know what they are doing and they have no goal to help people. Actin virus also came out more than a few times and had different emails for each campaign, including upfileme@protonmail.com, thedecrypt111@qq.com. 

Phobos crypto malware
Phobos ransomware is the threat that continues to infect people around the world in 2019.

Acton ransomware 

The slightly changed version from the previously described one, Acton ransomware was one of the less repeated variants int his Phobos ransomware family. Delivering the same info.hta program window with the payment instructions and contact information this time threat leaves out a ransom text file. Data encrypted by the virus get extensions including datadecryption@countermail.com. 

Adage ransomware

The more recent versions in Phobos ransomware started to get more unique names and file extensions. Virus developers occasionally release variants with the original .phobos, but June 2019, in particular, was the month of new ransomware releases. .adage virus file marker comes in the traditional pattern .id[XXXXXXXX -1096].[lockhelp@qq.com].acute common for all the versions in Phobos family since 2017.

Distribution methods of the file-encrypting virus

The crypto-malware can get inside the device when a user clicks on a malicious link, opens or downloads an infected file. The malware executable can be included in the email or presented as a useful program in various torrents or download sites. Thus, users have to be careful and avoid questionable content online.

  • Never open spam emails and stay away from the attachments included into an email that is sent from unknown senders.
  • Do not download illegal content.
  • Stay away from pop-ups informing about available updates.
  • Do not download software from untrusted or unauthorized sources.
  • Install a reputable antivirus program.
  • Keep all your programs updated.

Security experts from Norway[7] suggest creating backups and updating them regularly. Unfortunately, sometimes it’s impossible to decrypt files with the third-party software. Therefore, having backups prevents from data loss.

Phobos virus elimination guide

Trying to locate and wipe out malware-related files manually might end up with serious damage to the system. Therefore, we do not recommend risking to delete wrong files. It’s better to dedicate Phobos removal for the professionals. We mean, you should obtain a reputable malware removal software, such as Reimage or SpyHunterCombo Cleaner, or Malwarebytes Malwarebytes and get rid of the cyber infection automatically.

However, ransomware might be resistant and block security programs. For this reason, you should reboot the computer to the Safe Mode with Networking first in order to remove Phobos ransomware virus entirely. You can find the instructions below.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Phobos virus, follow these steps:

Remove Phobos using Safe Mode with Networking

In order to run automatic malware removal, follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Phobos

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Phobos removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Phobos using System Restore

These instructions can help to get rid of the virus with the help of antivirus software too:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Phobos. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Phobos removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Phobos from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Only backups can help to restore all files encrypted by ransomware. However, we highly recommend trying alternative third-party tools that might help to recover at least some of the lost data.

If your files are encrypted by Phobos, you can use several methods to restore them:

Data Recovery Pro might help to restore files encrypted by Phobos ransomware

Originally, this software is designed to recover files after the system wreckage. However, it might be helpful after the ransomware attack.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Phobos ransomware;
  • Restore them.

Windows Previous Versions feature might help to restore the most important files

Follow these steps to restore individual files after the ransomware attack (note: System Restore has to be enabled before the attack):

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might help to restore corrupted data

The Phobos virus should not delete Shadow Volume Copies, so this tool might be helpful:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Phobos decryptor is not available yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Phobos and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunterCombo Cleaner or Malwarebytes Malwarebytes

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References


Your opinion regarding Phobos ransomware virus