PhoneNumber ransomware (Removal Instructions) - Quick Decryption Solution
PhoneNumber virus Removal Guide
What is PhoneNumber ransomware?
PhoneNumber ransomware is a crypto-malware that uses a phone number of the victim as an extension for encrypted files
PhoneNumber ransomware is malicious software that encrypts all data on the device and the network of an organization and demands ransom for the decryption tool
PhoneNumber ransomware is a somewhat unique file locking virus that was first spotted attacking organizations and companies in mid-September 2019. While the goal of malware remains the same as many others – extorting money from victims by locking their files – the way, it modifies files is quite a bit different than usual.
Instead of appending an extension that points to ransomware name or version, PhoneNumber virus attaches a random prefix, which is unique to each file. The structure of the file is also modified by appending a phone number of the organization, for example, .619-388-6500. The example, a file encrypted with PhoneNumber ransomware would look like this: 8nAY3Hy – Imgur.jpg.619-388-6500.
PhoneNumber ransomware then drops a ransom note which explains that all the data was locked using RSA-4096 and AES-256 encryption algorithm[1] – it is named after the abbreviation of the infected company followed by _README_!.txt. Crooks ask for an unknown amount of payment in cryptocurrency, and request company officials to email them via [company_name]@protonmail.com
Name | PhoneNumber ransomware |
Type | Cryptovirus |
Encryption algorithm | RSA-4096 and AES-256 |
File extension | A contact phone number of the affected organization is used |
Ransom note | !_[company_name]_README_!.txt |
Contact | [company_name]@protonmail.com |
Decryption | Can only be decrypted using backups or third-party software |
Removal | To terminate ransomware infection, you should scan your computer with anti-malware software like FortectIntego |
Because PhoneNumber ransomware uses an extension that is unique to each organization, it is highly likely that targeted attacks are used to infect the desired network. For that, crooks often use privilege escalation techniques after infecting the host with a backdoor or other malware or by infiltrating a poorly protected Remote Desktop connections. Targeted phishing emails might also be used for the purpose. Nevertheless, it does not mean that PhoneNumber ransomware cannot infect regular computer users.
Soon after the infection, PhoneNumber ransomware encrypts all files on the device and the network, deletes all backups (if it can access them), and encrypts all files, preventing everybody from accessing them. The key that can unlock data is stored on a remote server which is only accessible to threat actors. This tricky situation leaves company owners in a tricky situation: paying the ransom to retrieve important files or using alternative methods that might not always work.
PhoneNumber ransomware is malware that uses the phone number of the company as a file appendix for encrypted data
Security researchers[2] advise avoiding paying the ransom and rather focus on PhoneNumber ransomware removal, as well as alternative data recovery methods. Because the malware is a new strain, it is yet unknown what type of criminal group is behind it, so there is no guarantee that the decryption tool will be provided after the payment.
To convince victims that the decryption is possible, PhoneNumber virus authors offer an alleged free decryption service:
Hello, [company_name]!
Check this message in details and contact someone from IT department.
All your files are encrypted with the strongest millitary algorithms (4096 bit RSA and 256 bit AES).
Do not modify or rename encrypted files – this may cause decryption failure.If you want to restore your files you will need to make the payment.
You can send us an encrypted file (about 300KB) and we will decrypt it for free, so you have no doubts in possibility to restore the files any time.
Files should not contain sensitive information (databases, backups, large documents, etc).
The rest of the data will be available to you after the full payment.Contact us only if you are authorized to make a deal from the whole affected network.
Don't contact us if you are not a such person.
Use english when contacting us.
Email: sdccd@protonmail.comIf you don't get an answer within one day download BitMessage software.
Homelink: https://bitmessage.org
Identity: BM-2cVWAFSDMW6TG6GafBWKXK4o2T4sn1ctEx
While paying the ransom is not recommended, some organizations might not have another choice (multiple high-profile companies and states in the USA opted to pay). The side effect of the action, however, only fuels the illegal business of cybercriminals behind ransomware. However, before you attempt file recovery from backups, third-party software, or by paying the ransom, you should remove PhoneNumber ransomware from your computer, or the retrieved data will be encrypted repeatedly.
For that, you need to use a powerful security solution – we recommend using FortectIntego or SpyHunter 5Combo Cleaner, although any other comprehensive anti-malware software should do the job. In some cases, PhoneNumber ransomware termination might require accessing Safe Mode with Networking – we provide the instructions on how to reach in the removal section below.
Use security measures on your company computers in order to prevent infiltration of ransomware
The notorious case of high-profile organizations being attacked by ransomware comes from WannaCry outrage back in 2017. It seems that after the ordeal that infected over 200,000 computers worldwide left consequences that were behind just recovery costs and days of disruptions – many new malware strains started targeting companies with higher ransom demands. A few good examples of ransomware that was extremely successful in attacking companies and counties include:
Therefore, organizations should make sure that they are using the latest security technologies that provide all-around protection from most ransomware attacks. Educating staff about cybersecurity is also very important, as phishing attacks are one of the main vectors when it comes to malware infections in the organizations.
PhoneNumber ransomware not only appends the extension to the files but also uses a random (unique) hash that is added to the front of the file
Additionally, Remote Desktop connections should always be secured with a strong password, and the default port should never be used – this allows hackers to scan the internet for vulnerable connections and install the malicious payload manually.
PhoneNumber ransomware removal instructions
PhoneNumber virus deletes all the Shadow Volume Copies – a typical action performed by ransomware in order to complicate the recovery process. In some cases, however, it can fail to do so. Therefore, there is a chance of restoring the encrypted data without paying criminals – you should first remove PhoneNumber ransomware, however.
For PhoneNumber ransomware removal, you should use anti-malware software, such as FortectIntego or SpyHunter 5Combo Cleaner. Be aware that malware can interfere with security tools, so you should access Safe Mode with Networking – we explain how to do that below.
Once you terminate PhoneNumber ransomware infection, you can connect your backups and copy the files over. If the virus removed them, there are low chances of restoring data for free. Nevertheless, you should try using third-party recovery tools that might be able to retrieve at least some of your data.
Getting rid of PhoneNumber virus. Follow these steps
Manual removal using Safe Mode
You should enter Safe Mode with Networking if the virus is tampering with anti-malware software:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove PhoneNumber using System Restore
System Restore can also be used for PhoneNumber virus removal:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of PhoneNumber. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove PhoneNumber from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by PhoneNumber, you can use several methods to restore them:
Data Recovery Pro solution
Data Recovery software tries to retrieve data copies from the hard drive instead of reverting the changes done by the ransomware. Thus, this method could help you recover at least some of your files if the affected machine was not used a lot.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by PhoneNumber ransomware;
- Restore them.
Windows Previous Versions Feature might help
If System Restore was enabled, you should be able to recover individual files using Windows Previous Versions feature.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer might sometimes recover all your files
If PhoneNumber ransomware did not delete Shadow Copies, there is a good chance of recovering all your files with ShadowExplorer.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
No decryption tool is currently available
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from PhoneNumber and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Protect your privacy – employ a VPN
There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals.
No backups? No problem. Use a data recovery tool
If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.
If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.
- ^ Encryption. ProofPoint. Security blog.
- ^ Novirus. Novirus. Cybersecurity advice from the UK.
- ^ Fred Donovan. Cybercriminals Target Hospitals with SamSam Ransomware Attacks. Health IT Security. Healthcare IT Security, Data Breach, BYOD.
- ^ Kevin Beaumont. How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business. Medium. Online publishing platform.