What is Phobos ransomware
Phobos ransomware it is a dangerous virus that encrypts data and locks stored files, it can also keep them in this state until the ransom is paid. Phobos ransomware refers to such kind of viruses as extortionists. Like any extortionist virus, Phobos ransomware requires a ransom from the user for decrypting files. It is important to note that the developers of this virus go to any means in order to achieve a quick and effective payment from the user. They convince users that the sooner they contact with developers, the lower the decryption cost. They also claim that any attempts to use other tools can lead to irreversible data damage, so users have no choice but to contact the developers. The cost of the purchase can range from $2,000 to $5,000.
Content of the ransom note:
All your files are encrypted
Data on this PC turned into a useless binary code
To return to normal, please contact us by this e-mail: OttoZimmerman@protonmail.ch
Set topic of your message to 'Encryption ID:*******'
• 1. Over time, the cost increases, do not waste your time
• 2. Only we can help you, for sure, no one else.
• 3. BE CAREFUL !!! If you still try to find other solutions to the problem, make a backup copy of the files you want to experiment on, and play with them. Otherwise, they can be permanently damaged
• 4. Any services that offer you help or just take money from you and disappear, or they will be intermediaries between us, with inflated value. Since the antidote is only among the creators of the virus
Usually, ransomware developers proliferate these infections through spam email campaigns. Developers infect computers through email attachment and send many emails containing malicious attachments hoping that some users will open them. This virus has been spreading in English-speaking countries since October 2017. If you want to remove Phobos Ransomware and decrypt .phobos files, then read our article.
In addition to the standard extension .phobos, there is information about the composite extension, it looks like:ID-B29F1XXX.[email@example.com].phobos. It has another one title, like ID-B35F2XXX.[firstname.lastname@example.org].phobos. At the moment, we know that there is updated version of Phobos Ransomware.
- Update January 3, 2018: ID-B29F1XXX.[email@example.com].phobos
- Update January 5, 2018: ID-B35F2XXX.[firstname.lastname@example.org].phobos
How to Remove Phobos Ransomware
If you have working backups of your encrypted files or you are not going to try and recover lost files, then scan your computer with one or several antivirus and anti-malware programs or reinstall the operating system altogether.
Spyhunter by Enigma Software Group is a good anti-malware program against ransomware, spyware, rootkits and other types of malicious software.
Spyhunter 5 can be downloaded for free. Spyhunter scans your computer and points out to you all found files and registry entries belonging to malware. To remove these threats automatically, you’ll need to purchase a subscription (starting from $39.99 for 6 months).
However, if you want to try all possible ways of recovering .phobos files, including data recovery tools, then I suggest you use these tools first and scan with anti-malware later. Skip to the explanation
How to Recover .phobos files
If you want to recover files encrypted by ransomware you can either try to decrypt them or use methods of file recovery.
Ways to decrypt the files:
- Contact the ransomware authors, pay the ransom and possibly get the decryptor from them. This is not reliable: they might not send you the decryptor at all, or it might be poorly done and fail to decrypt your files.
- Wait for security researchers to find some vulnerability in the ransomware that would allow you to decrypt .phobos files without paying. This turn of events is possible but not very probable: out of hundreds of known ransomware variants only dozens were found to be decryptable for free. You can visit NoMoreRansom site from time to time to see if free decryptor for Phobos exists.
- Use paid services for decryption. For example, antivirus vendor Dr. Weboffers its own decryption services. They are free for users of Dr.Web Security Space and some other Dr. Web’s products if Dr. Web have been installed and running at the time of encryption (more detail). For users of other antiviruses the decryption, if it’s deemed possible, might cost €150 or more. According to Dr. Web’s statistics, the probability of them being able to restore files is roughly 10%.
Other ways to recover encrypted files:
- Restore from backup. If you make regular backups to a separate device and check from time to time that those are in working order and files can be successfully restored – well, you probably won’t have any problems getting back your files. Just scan your computer with a couple of AVs and anti-malware programs or reinstall operating system, and then restore from backup.
- Recover some files from cloud storage (DropBox, Google Drive, OneDrive, etc.) if you have one connected. Even if encrypted files were already synced to the cloud, a lot of cloud services keep old versions of altered files for some time (usually 30 days).
- Recover Shadow Volume Copies of your files if those are available – ransomware usually tries to delete them too. Volume Shadow Copy Service (VSS) is a Windows technology that periodically creates snapshots of your files and allows you to roll back changes made on those files or recover deleted files. VSS is enabled together with System Restore: it’s turned on by default on Windows XP to Windows 8 and disabled by default on Windows 10.
- Use file recovery software. This probably won’t work for Solid State Drives (SSD – it is a newer, faster and more expensive type of data-storage devices) but is worth a try if you store your data on a Hard Disc Drive (HDD – older and more common as of yet storage device). When you delete a file from your computer – and I mean completely delete: use Shift + Del or empty the Recycle Bin – on SSD it gets wiped from the drive right away. On HDD however, it rather gets marked as deleted, and the space it occupies on a hard drive – as available for writing, but the data is still there and usually recoverable by special software. However, the more you use the computer, especially if you do something that writes new data on the hard drive, the more chance that your deleted file gets overwritten and will be gone for good. That is why, in this guide we will try to recover deleted files (as you might know, ransomware creates an encrypted copy of a file and deletes the original file) without installing anything on a disk. Just know that this still might not be enough to successfully recover your files – after all, when ransomware creates encrypted files it writes new information on a disk, possibly on top of files it just deleted. This actually depends on how much free space is there on your hard drive: the more free space, the less chance that new data will overwrite the old data.
Going further, we need to 1) stop ransomware from encrypting files that we recover, if malware is still active; 2) try not to overwrite files deleted by ransomware. The best way to do it is disconnect your hard drive and connect it to another computer. You will be able to browse all your folders, scan them with antivirus programs, use file recovery software or restore data from Shadow Volume Copies. Although it is better to download all tools you’ll need beforehand and disconnect the computer from the Internet before connecting the infected hard drive, just to be safe.
Disadvantages of this method:
- This might void your warranty.
- It’s harder to do with laptops, and you’ll need a special case (disk enclosure) to put a hard drive in before connecting it to another machine.
- It is possible to infect the other computer if you open a file from the infected drive before scanning the drive with AVs and removing all found malware; or if all AVs fail to find and delete the malware.
Another, easier, way is to load into Safe Mode and do all file recovery measures from there. However, that will mean using the hard drive and potentially overwriting some data. In this case it’s preferable to use only portable versions of recovery software (the ones that don’t require installation), download them onto an external device, and save any recovered files onto an external device as well (external hard drive, thumb drive, CD, DVD, etc.).
Boot Into Safe Mode:
Windows XP, Windows Vista, Windows 7:
- Restart the computer.
- Once you see a boot screen tap F8 key continuously until a list of options appears.
- Using arrow keys, select Safe Mode with Networking.
- Press Enter.
Windows 8, Windows 8.1, Windows 10:
- Hold down Windows key and hit X key.
- Select Shut down or sign out.
- Press Shift key and click on Restart.
- When asked to choose an option, click on Advanced options => Startup Settings.
- Click Restart in the bottom right corner.
- After Windows reboots and offers you a list of options, press F5 to select Enable Safe Mode with Networking.
Back up Your Encrypted Files
It is always advisable to create a copy of the encrypted files and put it away. That might help you if free ransomware decryptor becomes available in the future, or if you decide to pay and get the decryptor but something goes wrong and files get irreparably damaged in the process of decryption.
Use File Recovery Tools to Recover Files
“Stellar Phoenix Windows Data Recovery – Home is an easy to use Windows data recovery software to get back lost documents, emails, photos, videos & many more from HDD, USB, Memory Card etc.”
Recover Encrypted Files From Shadow Copies.
The easiest way to access Shadow Volume Copies is by using a free tool called Shadow Explorer. Just download the latest version and install it (or download the portable version).
- Launch Shadow Explorer.
- On the top left part of the window you can select a disk (C:\, D:\, etc.) and a date when a snapshot of files was taken.
- To recover a file or a folder right-click on it and select Export….
- Choose where do you want to put the files.
You may use our own decryption service. Please fill the form below and attach encrypted files. After analyzing them (that might take several days), we will contact you to tell if the decryption is possible and how much it will cost if so.