PHOBOS Ransomware - Remove + How to Restore .PHOBOS Files

PHOBOS Ransomware – Remove + How to Restore .PHOBOS Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This blog post aims to help you by showing how to remove Phobos ransomware and how to restore AES encrypted files with .PHOBOS file extension without having to pay ransom.

A virus, from the file encryption type, called Phobos ransomware has been detected by malware researchers. The ransomware, also named Phobos, uses a unique victim ID after the infection and utilizes AES encryption to make the important files on your computer no longer able to be opened. After it encrypts the files, the virus adds the .PHOBOS file extension to the encrypted files along with the e-mail of the cyber-crimianals to contact them. The end goal of this virus is to get you to buy BitCoin and pay the cyber-criminals in order to restore your encrypted files.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files via AES cipher and then drops a ransom note, asking victims to pay ransom in return for their files.
SymptomsFiles are encrypted with the .PHOBOS file extension and a Phobos.hta ransom note file has been added.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by PHOBOS


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss PHOBOS.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PHOBOS Ransomware – Update April 2019

Phobos ransomware has a few minor changes made to it in April, 2019. One of the is the new ransom note stored inside a text file called info.txt. The note has the following contents:

!!! All of your files are encrypted !!!
To decrypt them send e-mail to this address:
If we don’t answer in 48h., send e-mail to this address:
If there is no response from our mail, you can install the Jabber client and write to us in support of

In addition, there is probably a malicious spam campaign that is spreading the Phobos cryptovirus now as we are seeing a rise in the searches for this threat.

PHOBOS Ransomware – Update January 2019

The Phobos ransomware is back after a long time of absence. Two new variants have been circling the Internet since the month of December 2018. It appears there are already victims of the new versions. Both of them use the .phobos extension appended to encrypted files. The following e-mail addresses are given for contacting the cybercriminals:


Not much is changed since the official release of PHOBOS ransomware. 5,000 US dollars is the ransom sum that is demanded by the criminals.

PHOBOS Ransomware – Infection

The cyber-criminals behind PHOBOS ransomware aim to perform multiple different types of techniques in order to spread the infection file of PHOBOS ransomware. The main of those techniques is reported to be e-mail spam. Such spam messages aim to trick you into thinking they are legitimate and get you to download a malicious attachment uploaded on the them. Here is an example of how a malicious spam (malspam), spreading PHOBOS ransomware may look like:

The malicious files may also be embedded in an external web link that is sent with the e-mail, like a button linking to a dropbox account or other form of account for online file sharing, from which the malicious file is directly downloaded. This is done with the purpose of bypassing any e-mail vendors that may detect the message as malicious. Here is how such an e-mail may appear like:

The files themselves may either be direct executable files that infect you after opening or they may also be malicous Microsoft Office documents with macros in them. Such files come as legitimate documents and after you open them, you see a locked Microsoft document that asks you to “Enable Content” by clicking on a yellow bar above it. From there, the malicious macros are activated and infection takes place:

PHOBOS Ransomware – Malicious Activity

When an infection with PHOBOS ransomware takes place, the malicious payload fo the ransomware virus is dropped on the victim’s computer. The payload consists of one or more malicious files that may have random names and may be hidden in the commonly used Windows directories by malware, which are the following:

After the payload is dropped, PHOBOS ransomware obtains administrative permissions, which allows the malware to create multiple different types of registry entries in the Windows reigstry editor. Some of them target the Run and RunOnce registry keys of Windows. These sub-keys are responsible for the automatic execution of the malicious file of PHOBOS ransomware, that is responsble for file encryption. The sub-keys in which you can find those entries have the following location:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to attacking your Windows registry editor, the PHOBOS virus also may delete the shadow volume compies of your Windows machine, by executing a batch (.bat) script as a background application, without you noticing it. The script may run Windows Command Prompt as an administrator and execute the following commands to delete the copies and disable recovery:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”


In additions to the malicious files, a Phobos.hta ransom note is dropped on the victims’ computers and it looks like the following:

Text from Phobos.hta:

“All your files are encrypted
Hello World
Data on this PC turned into a useless binary code
To return to normal, please contact us by this email: OttoZimmennan@pmtonmall.di
Set topic of your message to ‘Encryption ID:{CUSTOM ID}’
Interesting Facts:
1. Over time, the cost increases, do not waste your time
2. Only we can help you, for sure, no one else.
3. BE CAREFUL !!! If you still try to find other solutions to the problem, make a backup copy of the files you want to experiment on, and play with them.
Otherwise they can be permanently damaged
4. Any services that offer you help or just take money from you and disappear, or they will be intermediaries between us, with inflated value. Since the antidote is only among the creators of the virus”

PHOBOS Ransomware – Encryption Process

The encryption of PHOBOS ransomware is conducted via the AES encryption algorithm (Advanced Encryption Standard). It is the type of cipher that alters a small part of the original file with the cipher’s symbols, just about enough to make the file no longer openable. The way the encryption works is that it generates a decryption key which can revert the encryption process, but this assymetric key is known only to the cyber-criminals. In addition to this, the PHOBOS ransowmare also scans the victim’s computer for the following file types:


After the files are encrypted, PHOBOS ransomware adds the .PHOBOS file extension and a unique ID plus the e-mail in which to contact the cyber-criminals. The encrypted files can no longer be opened and look like the following:

Remove PHOBOS Ransomware and Restore Encrypted Files

In order to get rid of this ransomware infection from your computer system, recommendations are to follow the removal instructions below this article. They are divided in manual and automatic removal solutions. While the manual instructions can be useful for you if you have experience in malware removal, experts often recommend following the automatic removal manual. It includes using an advanced anti-malware software to automatically scan your computer for and remove PHOBOS ransomware completely and safely.

If you want to restore files that have been encrypted by PHOBOS ransomware, it is reccomended to tru the alternative removal methods which we have suggested down below in step “2. Restore files encrypted by PHOBOS” They are specifically designed to help you try and restore as many encrypted files as possible without having to pay the ransom


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share