Severity scale:  
  (97/100)

Remove PhoneNumber ransomware (Removal Instructions) - Quick Decryption Solution

removal by Jake Doevan - - | Type: Ransomware

PhoneNumber ransomware is a crypto-malware that uses a phone number of the victim as an extension for encrypted files

PhoneNumber ransomware
PhoneNumber ransomware is malicious software that encrypts all data on the device and the network of an organization and demands ransom for the decryption tool

PhoneNumber ransomware is a somewhat unique file locking virus that was first spotted attacking organizations and companies in mid-September 2019. While the goal of malware remains the same as many others – extorting money from victims by locking their files – the way, it modifies files is quite a bit different than usual.

Instead of appending an extension that points to ransomware name or version, PhoneNumber virus attaches a random prefix, which is unique to each file. The structure of the file is also modified by appending a phone number of the organization, for example, .619-388-6500. The example, a file encrypted with PhoneNumber ransomware would look like this: 8nAY3Hy – Imgur.jpg.619-388-6500.

PhoneNumber ransomware then drops a ransom note which explains that all the data was locked using RSA-4096 and AES-256 encryption algorithm[1] – it is named after the abbreviation of the infected company followed by _README_!.txt. Crooks ask for an unknown amount of payment in cryptocurrency, and request company officials to email them via [company_name]@protonmail.com

Name PhoneNumber ransomware
Type Cryptovirus
Encryption algorithm RSA-4096 and AES-256
File extension A contact phone number of the affected organization is used
Ransom note !_[company_name]_README_!.txt
Contact [company_name]@protonmail.com
Decryption Can only be decrypted using backups or third-party software
Removal To terminate ransomware infection, you should scan your computer with anti-malware software like Reimage

Because PhoneNumber ransomware uses an extension that is unique to each organization, it is highly likely that targeted attacks are used to infect the desired network. For that, crooks often use privilege escalation techniques after infecting the host with a backdoor or other malware or by infiltrating a poorly protected Remote Desktop connections. Targeted phishing emails might also be used for the purpose. Nevertheless, it does not mean that PhoneNumber ransomware cannot infect regular computer users.

Soon after the infection, PhoneNumber ransomware encrypts all files on the device and the network, deletes all backups (if it can access them), and encrypts all files, preventing everybody from accessing them. The key that can unlock data is stored on a remote server which is only accessible to threat actors. This tricky situation leaves company owners in a tricky situation: paying the ransom to retrieve important files or using alternative methods that might not always work.

PhoneNumber ransomware virus
PhoneNumber ransomware is malware that uses the phone number of the company as a file appendix for encrypted data

Security researchers[2] advise avoiding paying the ransom and rather focus on PhoneNumber ransomware removal, as well as alternative data recovery methods. Because the malware is a new strain, it is yet unknown what type of criminal group is behind it, so there is no guarantee that the decryption tool will be provided after the payment.

To convince victims that the decryption is possible, PhoneNumber virus authors offer an alleged free decryption service:

Hello, [company_name]!

Check this message in details and contact someone from IT department.
All your files are encrypted with the strongest millitary algorithms (4096 bit RSA and 256 bit AES).
Do not modify or rename encrypted files – this may cause decryption failure.

If you want to restore your files you will need to make the payment.
You can send us an encrypted file (about 300KB) and we will decrypt it for free, so you have no doubts in possibility to restore the files any time.
Files should not contain sensitive information (databases, backups, large documents, etc).
The rest of the data will be available to you after the full payment.

Contact us only if you are authorized to make a deal from the whole affected network.
Don't contact us if you are not a such person.
Use english when contacting us.
Email: sdccd@protonmail.com

If you don't get an answer within one day download BitMessage software.
Homelink: https://bitmessage.org
Identity: BM-2cVWAFSDMW6TG6GafBWKXK4o2T4sn1ctEx

While paying the ransom is not recommended, some organizations might not have another choice (multiple high-profile companies and states in the USA opted to pay). The side effect of the action, however, only fuels the illegal business of cybercriminals behind ransomware. However, before you attempt file recovery from backups, third-party software, or by paying the ransom, you should remove PhoneNumber ransomware from your computer, or the retrieved data will be encrypted repeatedly.

For that, you need to use a powerful security solution – we recommend using Reimage or SpyHunter 5Combo Cleaner, although any other comprehensive anti-malware software should do the job. In some cases, PhoneNumber ransomware termination might require accessing Safe Mode with Networking – we provide the instructions on how to reach in the removal section below.

Use security measures on your company computers in order to prevent infiltration of ransomware

The notorious case of high-profile organizations being attacked by ransomware comes from WannaCry outrage back in 2017. It seems that after the ordeal that infected over 200,000 computers worldwide left consequences that were behind just recovery costs and days of disruptions – many new malware strains started targeting companies with higher ransom demands. A few good examples of ransomware that was extremely successful in attacking companies and counties include:

Therefore, organizations should make sure that they are using the latest security technologies that provide all-around protection from most ransomware attacks. Educating staff about cybersecurity is also very important, as phishing attacks are one of the main vectors when it comes to malware infections in the organizations.

PhoneNumber ransomware encrypted files
PhoneNumber ransomware not only appends the extension to the files but also uses a random (unique) hash that is added to the front of the file

Additionally, Remote Desktop connections should always be secured with a strong password, and the default port should never be used – this allows hackers to scan the internet for vulnerable connections and install the malicious payload manually.

PhoneNumber ransomware removal instructions

PhoneNumber virus deletes all the Shadow Volume Copies – a typical action performed by ransomware in order to complicate the recovery process. In some cases, however, it can fail to do so. Therefore, there is a chance of restoring the encrypted data without paying criminals – you should first remove PhoneNumber ransomware, however.

For PhoneNumber ransomware removal, you should use anti-malware software, such as Reimage or SpyHunter 5Combo Cleaner. Be aware that malware can interfere with security tools, so you should access Safe Mode with Networking – we explain how to do that below.

Once you terminate PhoneNumber ransomware infection, you can connect your backups and copy the files over. If the virus removed them, there are low chances of restoring data for free. Nevertheless, you should try using third-party recovery tools that might be able to retrieve at least some of your data.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter 5.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove PhoneNumber virus, follow these steps:

Remove PhoneNumber using Safe Mode with Networking

You should enter Safe Mode with Networking if the virus is tampering with anti-malware software:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove PhoneNumber

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete PhoneNumber removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove PhoneNumber using System Restore

System Restore can also be used for PhoneNumber virus removal:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of PhoneNumber. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that PhoneNumber removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove PhoneNumber from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by PhoneNumber, you can use several methods to restore them:

Data Recovery Pro solution

Data Recovery software tries to retrieve data copies from the hard drive instead of reverting the changes done by the ransomware. Thus, this method could help you recover at least some of your files if the affected machine was not used a lot. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by PhoneNumber ransomware;
  • Restore them.

Windows Previous Versions Feature might help

If System Restore was enabled, you should be able to recover individual files using Windows Previous Versions feature.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might sometimes recover all your files

If PhoneNumber ransomware did not delete Shadow Copies, there is a good chance of recovering all your files with ShadowExplorer.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from PhoneNumber and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References


Your opinion regarding PhoneNumber ransomware