Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Jun 2020

How to remove PhoneNumber ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Jake Doevan · Computer technology expert

PhoneNumber ransomware is a crypto-malware that uses a phone number of the victim as an extension for encrypted files

PhoneNumber ransomware

PhoneNumber ransomware is a somewhat unique file locking virus that was first spotted attacking organizations and companies in mid-September 2019. While the goal of malware remains the same as many others – extorting money from victims by locking their files – the way, it modifies files is quite a bit different than usual.

Instead of appending an extension that points to ransomware name or version, PhoneNumber virus attaches a random prefix, which is unique to each file. The structure of the file is also modified by appending a phone number of the organization, for example, .619-388-6500. The example, a file encrypted with PhoneNumber ransomware would look like this: 8nAY3Hy – Imgur.jpg.619-388-6500.

PhoneNumber ransomware then drops a ransom note which explains that all the data was locked using RSA-4096 and AES-256 encryption algorithm[1] – it is named after the abbreviation of the infected company followed by _README_!.txt. Crooks ask for an unknown amount of payment in cryptocurrency, and request company officials to email them via [company_name]@protonmail.com

Name PhoneNumber ransomware
Type Cryptovirus
Encryption algorithm RSA-4096 and AES-256
File extension A contact phone number of the affected organization is used
Ransom note !_[company_name]_README_!.txt
Contact [company_name]@protonmail.com
Decryption Can only be decrypted using backups or third-party software
Removal To terminate ransomware infection, you should scan your computer with anti-malware software like FortectIntego

Because PhoneNumber ransomware uses an extension that is unique to each organization, it is highly likely that targeted attacks are used to infect the desired network. For that, crooks often use privilege escalation techniques after infecting the host with a backdoor or other malware or by infiltrating a poorly protected Remote Desktop connections. Targeted phishing emails might also be used for the purpose. Nevertheless, it does not mean that PhoneNumber ransomware cannot infect regular computer users.

Soon after the infection, PhoneNumber ransomware encrypts all files on the device and the network, deletes all backups (if it can access them), and encrypts all files, preventing everybody from accessing them. The key that can unlock data is stored on a remote server which is only accessible to threat actors. This tricky situation leaves company owners in a tricky situation: paying the ransom to retrieve important files or using alternative methods that might not always work.

PhoneNumber ransomware virus

Security researchers[2] advise avoiding paying the ransom and rather focus on PhoneNumber ransomware removal, as well as alternative data recovery methods. Because the malware is a new strain, it is yet unknown what type of criminal group is behind it, so there is no guarantee that the decryption tool will be provided after the payment.

To convince victims that the decryption is possible, PhoneNumber virus authors offer an alleged free decryption service:

Hello, [company_name]!

Check this message in details and contact someone from IT department.
All your files are encrypted with the strongest millitary algorithms (4096 bit RSA and 256 bit AES).
Do not modify or rename encrypted files – this may cause decryption failure.

If you want to restore your files you will need to make the payment.
You can send us an encrypted file (about 300KB) and we will decrypt it for free, so you have no doubts in possibility to restore the files any time.
Files should not contain sensitive information (databases, backups, large documents, etc).
The rest of the data will be available to you after the full payment.

Contact us only if you are authorized to make a deal from the whole affected network.
Don't contact us if you are not a such person.
Use english when contacting us.
Email: sdccd@protonmail.com

If you don't get an answer within one day download BitMessage software.
Homelink: https://bitmessage.org
Identity: BM-2cVWAFSDMW6TG6GafBWKXK4o2T4sn1ctEx

While paying the ransom is not recommended, some organizations might not have another choice (multiple high-profile companies and states in the USA opted to pay). The side effect of the action, however, only fuels the illegal business of cybercriminals behind ransomware. However, before you attempt file recovery from backups, third-party software, or by paying the ransom, you should remove PhoneNumber ransomware from your computer, or the retrieved data will be encrypted repeatedly.

For that, you need to use a powerful security solution – we recommend using FortectIntego or SpyHunterCombo Cleaner, although any other comprehensive anti-malware software should do the job. In some cases, PhoneNumber ransomware termination might require accessing Safe Mode with Networking – we provide the instructions on how to reach in the removal section below.

Use security measures on your company computers in order to prevent infiltration of ransomware

The notorious case of high-profile organizations being attacked by ransomware comes from WannaCry outrage back in 2017. It seems that after the ordeal that infected over 200,000 computers worldwide left consequences that were behind just recovery costs and days of disruptions – many new malware strains started targeting companies with higher ransom demands. A few good examples of ransomware that was extremely successful in attacking companies and counties include:

Therefore, organizations should make sure that they are using the latest security technologies that provide all-around protection from most ransomware attacks. Educating staff about cybersecurity is also very important, as phishing attacks are one of the main vectors when it comes to malware infections in the organizations.

PhoneNumber ransomware encrypted files

Additionally, Remote Desktop connections should always be secured with a strong password, and the default port should never be used – this allows hackers to scan the internet for vulnerable connections and install the malicious payload manually.

PhoneNumber ransomware removal instructions

PhoneNumber virus deletes all the Shadow Volume Copies – a typical action performed by ransomware in order to complicate the recovery process. In some cases, however, it can fail to do so. Therefore, there is a chance of restoring the encrypted data without paying criminals – you should first remove PhoneNumber ransomware, however.

For PhoneNumber ransomware removal, you should use anti-malware software, such as FortectIntego or SpyHunterCombo Cleaner. Be aware that malware can interfere with security tools, so you should access Safe Mode with Networking – we explain how to do that below.

Once you terminate PhoneNumber ransomware infection, you can connect your backups and copy the files over. If the virus removed them, there are low chances of restoring data for free. Nevertheless, you should try using third-party recovery tools that might be able to retrieve at least some of your data.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.