What is Phobos ransomwarE? And how does it carry out its attack?
Phobos ransomware, also known as “Phobos”, is a file-encrypting Trojan that uses a unique victim ID and makes use of the AES encryption algorithm in encrypting the victims’ files. This ransomware spreads as an infected email attachment. Once it is inside the system, it begins to scan the computer for a variety of files to encrypt. According to researchers, it targets the files with the following formats:
PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG .CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG
As mentioned earlier, Phobos ransomware uses AES 256 encryption cipher to encrypt the targeted files. It also appends the ID.[<email].PHOBOS extension on each of the affected files. The ransomware uses a TOR-based Command and Control servers. After the encryption, Phobos displays a program window named “Your files are encrypted!” which has a logo for Phobos in the bottom-right corner of the window.
The ransom message displayed in the program window reads:
“All your files are encrypted
Hello World
Data on this PC runed into useless binary code
To return to normal, please contact us by this email: [email protected]
Set topic of your message to ‘Encryption ID:[8 random characters]’
Interesting facts:
- Over time, the cost increases, do not waste your time
- Only we can help you, for sure, no one else.
- BE CAREFUL If you still try to find other solutions to the problem, make a backup copy of the files you want to experiment on, a. play with them. Otherwise, they can be permanently damaged.
- Any services that offer you help or just take money from you and disappear, or they will be intermediaries between us, with inflated value. Since the antidote is only among the creators of the virus
PHOBOS”
In its ransom note, Phobos indicated that the information stored on the affected computer was “turned into a useless binary code” and that victims must follow the ransom payment instructions given to recover the files. You should know better than to believe the ransom note as cyber criminals are not exactly known to keep their words. Hence, paying them won’t do you any good. It would be best if you try other alternative ways to recover your files – one of the effective ways to do so is through the files’ shadow volume copies. However, it would only work if Phobos hasn’t deleted them but it is still worth a try. If not, you can always use any backup copies of your files.
How does Phobos ransomware spread its malicious files?
Phobos uses the same old trick to spread its malicious files that most ransomware infection uses which is through malicious spam email a campaign. These kinds of emails often deceive users into downloading and opening the attachment. As a result, Phobos is installed in the system. Aside from that, the malicious files may also be embedded in an external web link which is also sent through email such as a button linking to a dropbox account and other forms of account for online file sharing where the malicious file can be downloaded directly.
Follow the steps provided below to delete Phobos ransomware from your computer.
Step 1: Open the Task Manger, to do so, tap Ctrl + Shift + Esc.
Step 2: After you’ve opened the Task Manager, go to the Processes tab and look for Phobos ransomware’s malicious process and end its process by clicking on End Task or End Process.
Step 3: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for Phobos Ransomware or any suspicious program and then Uninstall it/them.
Step 5: Tap Win + E keys to launch File Explorer.
Step 6: Navigate to the following locations below and look for Phobos ransomware’s malicious components it came with as well as other suspicious files and then delete all of them.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 7: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following path:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Step 10: Delete the registry keys and sub-keys created by Phobos ransomware.
Step 11: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Phobos ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To make sure that nothing is left behind and that the Phobos is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.