PHOBOS Ransomware - Remove + How to Restore .PHOBOS Files
THREAT REMOVAL

PHOBOS Ransomware – Remove + How to Restore .PHOBOS Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by PHOBOS and other threats.
Threats such as PHOBOS may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This blog post aims to help you by showing how to remove Phobos ransomware and how to restore AES encrypted files with .PHOBOS file extension without having to pay ransom.

A virus, from the file encryption type, called Phobos ransomware has been detected by malware researchers. The ransomware, also named Phobos, uses a unique victim ID after the infection and utilizes AES encryption to make the important files on your computer no longer able to be opened. After it encrypts the files, the virus adds the .PHOBOS file extension to the encrypted files along with the e-mail of the cyber-crimianals to contact them. The end goal of this virus is to get you to buy BitCoin and pay the cyber-criminals in order to restore your encrypted files.

Threat Summary

NamePHOBOS
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files via AES cipher and then drops a ransom note, asking victims to pay ransom in return for their files.
SymptomsFiles are encrypted with the .PHOBOS file extension and a Phobos.hta ransom note file has been added.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by PHOBOS

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss PHOBOS.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PHOBOS Ransomware – Infection

The cyber-criminals behind PHOBOS ransomware aim to perform multiple different types of techniques in order to spread the infection file of PHOBOS ransomware. The main of those techniques is reported to be e-mail spam. Such spam messages aim to trick you into thinking they are legitimate and get you to download a malicious attachment uploaded on the them. Here is an example of how a malicious spam (malspam), spreading PHOBOS ransomware may look like:

The malicious files may also be embedded in an external web link that is sent with the e-mail, like a button linking to a dropbox account or other form of account for online file sharing, from which the malicious file is directly downloaded. This is done with the purpose of bypassing any e-mail vendors that may detect the message as malicious. Here is how such an e-mail may appear like:

The files themselves may either be direct executable files that infect you after opening or they may also be malicous Microsoft Office documents with macros in them. Such files come as legitimate documents and after you open them, you see a locked Microsoft document that asks you to “Enable Content” by clicking on a yellow bar above it. From there, the malicious macros are activated and infection takes place:

PHOBOS Ransomware – Malicious Activity

When an infection with PHOBOS ransomware takes place, the malicious payload fo the ransomware virus is dropped on the victim’s computer. The payload consists of one or more malicious files that may have random names and may be hidden in the commonly used Windows directories by malware, which are the following:

After the payload is dropped, PHOBOS ransomware obtains administrative permissions, which allows the malware to create multiple different types of registry entries in the Windows reigstry editor. Some of them target the Run and RunOnce registry keys of Windows. These sub-keys are responsible for the automatic execution of the malicious file of PHOBOS ransomware, that is responsble for file encryption. The sub-keys in which you can find those entries have the following location:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In addition to attacking your Windows registry editor, the PHOBOS virus also may delete the shadow volume compies of your Windows machine, by executing a batch (.bat) script as a background application, without you noticing it. The script may run Windows Command Prompt as an administrator and execute the following commands to delete the copies and disable recovery:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

>

In additions to the malicious files, a Phobos.hta ransom note is dropped on the victims’ computers and it looks like the following:

Text from Phobos.hta:

“All your files are encrypted
Hello World
Data on this PC turned into a useless binary code
To return to normal, please contact us by this email: [email protected]
Set topic of your message to ‘Encryption ID:{CUSTOM ID}’
Interesting Facts:
1. Over time, the cost increases, do not waste your time
2. Only we can help you, for sure, no one else.
3. BE CAREFUL !!! If you still try to find other solutions to the problem, make a backup copy of the files you want to experiment on, and play with them.
Otherwise they can be permanently damaged
4. Any services that offer you help or just take money from you and disappear, or they will be intermediaries between us, with inflated value. Since the antidote is only among the creators of the virus”

PHOBOS Ransomware – Encryption Process

The encryption of PHOBOS ransomware is conducted via the AES encryption algorithm (Advanced Encryption Standard). It is the type of cipher that alters a small part of the original file with the cipher’s symbols, just about enough to make the file no longer openable. The way the encryption works is that it generates a decryption key which can revert the encryption process, but this assymetric key is known only to the cyber-criminals. In addition to this, the PHOBOS ransowmare also scans the victim’s computer for the following file types:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG .CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

After the files are encrypted, PHOBOS ransomware adds the .PHOBOS file extension and a unique ID plus the e-mail in which to contact the cyber-criminals. The encrypted files can no longer be opened and look like the following:

Remove PHOBOS Ransomware and Restore Encrypted Files

In order to get rid of this ransomware infection from your computer system, recommendations are to follow the removal instructions below this article. They are divided in manual and automatic removal solutions. While the manual instructions can be useful for you if you have experience in malware removal, experts often recommend following the automatic removal manual. It includes using an advanced anti-malware software to automatically scan your computer for and remove PHOBOS ransomware completely and safely.

If you want to restore files that have been encrypted by PHOBOS ransomware, it is reccomended to tru the alternative removal methods which we have suggested down below in step “2. Restore files encrypted by PHOBOS” They are specifically designed to help you try and restore as many encrypted files as possible without having to pay the ransom

Note! Your computer system may be affected by PHOBOS and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as PHOBOS.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove PHOBOS follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove PHOBOS files and objects
2. Find files created by PHOBOS on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by PHOBOS

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...