A new variant of ransomware has been discovered by security researchers. It appends the .phobos extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails and malware.
Once installed, the Phobos ransomware virus will scan the machine for some file types and encrypt them. It will encrypt almost of files, including:
.x3f, .sie, .rim, .zabw, .wp4, .xy3, .d3dbsp, .mp4, .wpt, .ff, .raw, .avi, .pkpass, .vtf, .docm, .vpp_pc, .wpb, .t12, .wri, .webp, .bc7, .csv, .wdp, .srw, .iwi, .ods, .wb2, .wsc, .sav, .m2, .qic, .ibank, .sum, .wcf, .tor, .yal, .rb, .m4a, .py, .bik, .menu, .apk, .zif, .zdc, .slm, .ysp, .wbd, .xml, .wn, .wbmp, .docx, .doc, .xf, .wmf, .xls, .vdf, .map, .xld, .wpd, .3dm, .sb, .xx, .icxs, .xxx, .ztmp, .mef, .ncf, .lvl, .m3u, .odp, .p12, .kdc, .pef, .svg, .itl, .xbdoc, .p7b, .wpe, .rar, .wmv, .zdb, .zip, .ai, .bc6, .r3d, .wmv, .esm, .png, .hkx, .wotreplay, .forge, .wpd, .x3f, .pdd, .fos, .sid, .css, .xlsb, .z3d, .hvpl, .fpk, .1st, .dcr, .indd, .ppt, .xlgc, .der, .7z, .pfx, .t13, .js, .pst, .1, .ws, .2bp, .jpe, .pdf, .bkf, .p7c, .wpg, .cr2, .wp7, .wbz, .mrwref, .x3d, .sidd, .rtf, .vcf, .arch00, .mlx, .dba, .crw, .psd, .asset, .bar, .vpk, .wot, wallet, .xls, .vfs0, .litemod, .iwd, .rwl, .odc, .kdb, .re4, .wma, .ybk, .bsa, .orf, .pptx, .wmo, .sql, .pptm, .mov, .dng, .xll, .xmind, .lrf, .crt, .odb, .epk, .x, .xar, .xlsm, .srf, .0, .wp, .hplg, .wpw, .wbm, .desc, .jpg, .gdb, .dmp, .webdoc, .xpm, .w3x, .wbc, .xmmap, .3fr, .wp5, .mdb, .yml, .xwp, .arw, .tax, .raf, .zw, .big, .pak, .eps, .wpl, .pem, .odt, .wsd, .sidn, .itdb, .wps, .dbf, .dazip, .rw2, .xlsm, .dxg, .wav, .hkdb, .wm, .wmd, .flv, .zip, .qdf, .bkp, .jpeg, .rgss3a, .wdb, .bay, .dwg, .xlsx, .cfr, .z, .upk, .3ds, .wsh, .accdb, .xdb, .wps, .xbplate, .syncdb, .das, .wpa, .sis, .mcmeta, .y, .wbk, .ntl, .rofl, .erf, .mdf, .cdr, .txt, .snx, .kf, .fsh, .gho, .nrw, .ptx, .odm, .lbf, .wma, .wp6, .blob, .xyw, .xlsx
Once the encryption process is done, it will drop a ransomnote called “Phobos.hta” offering decrypt all users personal files if a payment is made. You can see an one of the variants of the ransom note below:
All your files are encrypted To decrypt your files, contact us using this e-mail: Cadillac.firstname.lastname@example.org Please set topic 'Encryption ID: ***'. We offer free decryption of your test files as a proof. You can attach them to your e-mail and we'll send you decrypted ones. Decryption price increases over time, hurry up and get discount. Decryption using third parties may lead to scam or increased price.
What to do if your computer is infected with Phobos ransomware
The ransom note offers victim to contact Phobos ransomware’s makers in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. Especially since you have a chance to restore .Phobos files for free using free utilities like ShadowExplorer and PhotoRec.
Instructions which is shown below, will help you to remove Phobos ransomware virus as well as restore encrypted photos, documents and music stored on your personal computer drives.
- How to decrypt .phobos files
- How to remove Phobos ransomware virus
- How to restore .phobos files
- How to protect your PC from Phobos ransomware
How to decrypt .phobos files
Currently there is no available method to decrypt .phobos files, but you have a chance to restore encrypted files for free. The virus uses very strong hybrid encryption with a large key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the Phobos ransomware virus entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the makers of the Phobos ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new virus.
How to remove Phobos ransomware virus
In order to delete Phobos ransomware from your PC, you need to stop all ransomware virus processes and delete its associated files including Windows registry entries. If any virus components are left on the PC system, the virus can reinstall itself the next time the PC boots up. Usually ransomware viruses uses random name consist of characters and numbers that makes a manual removal procedure very difficult. We advise you to run a free ransomware virus removal utilities which will help remove Phobos ransomware virus from your personal computer. Below you can found a few popular malware removers that detects various ransomware.
How to automatically remove Phobos ransomware with Zemana Anti-malware
Zemana Anti-malware is a tool that can remove ransomwares, adware, PUPs, browser hijacker infections and other malicious software from your machine easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of PC resources.
Please go to the following link to download the latest version of Zemana Anti-Malware for Windows. Save it on your Microsoft Windows desktop or in any other place.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the download is finished, close all software and windows on your system. Double-click the install file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown below, click the “Yes” button.
It will open the “Setup wizard” which will help you install Zemana Anti Malware (ZAM) on your computer. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, Zemana Free will automatically start and you can see its main screen as shown in the figure below.
Now click the “Scan” button . Zemana Free application will scan through the whole system for the Phobos ransomware and other security threats. This process can take some time, so please be patient. While the utility is checking, you may see count of objects and files has already scanned.
Once that process is finished, Zemana will open a screen that contains a list of malicious software that has been found. Next, you need to press “Next” button. The Zemana Free will remove Phobos ransomware and other kinds of potential threats like malicious software and potentially unwanted software and add items to the Quarantine. When the process is done, you may be prompted to restart the computer.
How to automatically delete Phobos ransomware with MalwareBytes Free
You can remove Phobos ransomware virus automatically with a help of MalwareBytes Free. We recommend this free malware removal tool because it can easily remove ransomware virus, adware, malicious software and other undesired software with all their components such as files, folders and registry entries.
Installing the MalwareBytes is simple. First you’ll need to download MalwareBytes from the following link.
Category: Security tools
Update: April 15, 2020
Once the download is complete, run it and follow the prompts. Once installed, the MalwareBytes Anti-Malware (MBAM) will try to update itself and when this process is finished, click the “Scan Now” button to perform a system scan for the Phobos ransomware and other security threats. When a threat is detected, the count of the security threats will change accordingly. In order to remove all items, simply click “Quarantine Selected” button.
The MalwareBytes Anti-Malware (MBAM) is a free application that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal tool, we recommend you to read and follow the guide or the video guide below.
Run KVRT to remove Phobos ransomware virus from the machine
The KVRT tool is free and easy to use. It can scan and delete virus like Phobos ransomware, malicious software, PUPs and adware in Microsoft Edge, Mozilla Firefox, Google Chrome and Internet Explorer web-browsers and thereby return their default settings (new tab page, startpage and search engine). KVRT is powerful enough to find and get rid of malicious registry entries and files that are hidden on the personal computer.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop by clicking on the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you will see the KVRT screen as displayed in the following example.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . KVRT tool will begin scanning the whole computer to find out Phobos ransomware and other trojans and malicious programs. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your computer. When a malware, adware or potentially unwanted applications are detected, the count of the security threats will change accordingly.
Once the scan is finished, Kaspersky virus removal tool will prepare a list of undesired programs ad supported software as displayed below.
You may remove items (move to Quarantine) by simply click on Continue to begin a cleaning process.
How to restore .phobos files
In some cases, you can recover files encrypted by the Phobos ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
Recover .phobos files with ShadowExplorer
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
Visit the following page to download ShadowExplorer. Save it on your Desktop.
Category: Security tools
Update: September 15, 2019
Once downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.
Start the ShadowExplorer utility and then choose the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the Phobos ransomware virus as shown in the figure below.
Now navigate to the file or folder that you wish to restore. When ready right-click on it and click ‘Export’ button like below.
Restore .phobos files with PhotoRec
Before a file is encrypted, the Phobos ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover apps like PhotoRec.
Download PhotoRec from the link below. Save it on your Microsoft Windows desktop or in any other place.
Category: Security tools
Update: March 1, 2018
When the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as displayed in the figure below.
Select a drive to recover as shown on the image below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as displayed in the following example.
Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where restored documents, photos and music should be written, then press Search.
Count of restored files is updated in real time. All recovered photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is done, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed in the following example.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from Phobos ransomware
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your PC from Phobos ransomware
Download CryptoPrevent by clicking on the link below. Save it to your Desktop so that you can access the file easily.
Run it and follow the setup wizard. Once the setup is finished, you’ll be displayed a window where you can select a level of protection, as displayed in the following example.
Now press the Apply button to activate the protection.
To sum up
Once you’ve finished the guidance shown above, your system should be clean from the Phobos ransomware virus and other malware. Your machine will no longer encrypt your personal files. Unfortunately, if the guidance does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help here.