Phobos Ransomware

Phobos Ransomware Description

Phobos Ransomware ScreenshotThe Phobos Ransomware is an encryption ransomware Trojan that was first observed on October 21, 2017. The Phobos Ransomware is being used to target computer users in Western Europe and the United States and delivers its ransom messages in English to the victims. The main way in which the Phobos Ransomware is being distributed is through the use of spam email attachments, which may appear as Microsoft Word documents that have enabled macros. These macro scripts are designed to download and install the Phobos Ransomware onto the victim's computer when the corrupted file is accessed. It is likely that the Phobos Ransomware is an independent threat since it does not seem to belong to a vast family of Ransomware as a Service (RaaS) provider.

How to Identify the Files Encrypted by the Phobos Ransomware

Like most other, similar threats, the Phobos Ransomware works by encrypting the victim's files by using a strong encryption algorithm. The encryption makes the files inaccessible, allowing the Phobos Ransomware to take the victim's data hostage until the victim pays a ransom. The Phobos Ransomware will target the user-generated files, which may include files with the following extensions:

.aif, .apk, .arj, .asp, .bat, .bin, .cab, .cda, .cer, .cfg, .cfm, .cpl, .css, .csv, .cur, .dat, .deb, .dmg, .dmp, .doc, .docx, .drv, .gif, .htm, .html, .icns, .iso, .jar, .jpeg, .jpg, .jsp, .log, .mid, .mp3, .mp4, .mpa, .odp, .ods, .odt, .ogg,.part, .pdf, .php, .pkg, .png, .ppt, .pptx, .psd, .rar, .rpm, .rss, .rtf, .sql, .svg, .tar.gz, .tex, .tif, .tiff, .toast, .txt, .vcd, .wav, .wks, .wma, .wpd, .wpl, .wps, .wsf, .xlr, .xls, .xlsx, .zip.

As can be noticed from the list above, the Phobos Ransomware targets documents, media, images, and other commonly used files, and encrypts them using the AES 256 encryption. After the victim's files have been encrypted, the Phobos Ransomware will communicate with its Command and Control server to relay data about the infected computer, as well as receive configuration data. The Phobos Ransomware will identify the files encrypted by its attack by changing their names to the following string:

..ID[eight random characters].[ottozimmerman@protonmail.ch].PHOBOS

The Phobos Ransomware's Ransom Demands

The Phobos Ransomware delivers a ransom note in the form of a program window with the title 'Your files are encrypted!' after the victim's files have been encrypted and renamed. This program window includes the logo 'PHOBOS' in one of the corners of the window and claims that the victim must pay a ransom to restore the infected files. The ransom note that the Phobos Ransomware displays during its attack on a victim's computer reads:

'All your files are encrypted
Hello World
Data on this PC runed into useless binary code
To return to normal, please contact us by this email: OttoZimmerman@protonmail.ch
Set topic of your message to 'Encryption ID:[8 random characters]'
Interesting facts:
1. Over time, the cost increases, do not waste your time
2. Only we can help you, for sure, no one else.
3. BE CAREFUL If you still try to find other solutions to the problem, make a backup copy of the files you want to experiment on, a. play with them. Otherwise, they can be permanently damaged.
4. Any services that offer you help or just take money from you and disappear, or they will be intermediaries between us, with inflated value. Since the antidote is only among the creators of the virus
PHOBOS'

Dealing with the Phobos Ransomware

Unfortunately, once the Phobos Ransomware encrypts the files, it becomes impossible to restore the affected files without the decryption key. Because of this, it is important to take preemptive measures to ensure that your data is well protected. The best protection against threats like the Phobos Ransomware is to have a reliable backup system. Having backup copies of all files means that the victims of the Phobos Ransomware attack can restore their data after an attack quickly and reliably.

Update January 4th, 2019 — 'Job2019@tutanota.com' Ransomware

The 'Job2019@tutanota.com' Ransomware is categorized as a slightly updated variant of the Phobos Ransomware that was released in October 2017 initially. The 'Job2019@tutanota.com' Ransomware appears a little more than a year later with no significant updates to show. The 'Job2019@tutanota.com' Ransomware was identified in January 2019 and seems to spread the same way as its predecessor. The threat payload is delivered through macro scrips embedded into Microsoft Word files that you might see attached to seemingly official updates from social media and online stores. The 'Job2019@tutanota.com' Ransomware is likely to create a temporary folder on the primary system drive and load a process with a random name in the Task Manager. The 'Job2019@tutanota.com' Ransomware Trojan is configured to delete the Shadow Volume snapshots before encoding your photos, text, music and video. The new variant is known to promote decryption services via two email accounts, namely — 'Job2019@tutanota.com' and 'Cadillac.407@aol.com.' The ransom note is styled as a small program window colored in the same shade of blue as the default Windows 10 theme. The Trojan is reported to show a window named 'Your files are encrypted!.' The window seems to be loaded from 'Phobos.hta,' which is dropped to the Temp folder on Windows and reads:

'All your files are encrypted
Hello World
Data on this PC turned into a useless binary code
To return to normal, please contact us by this e-mail: OttoZimmerman@protonmail.ch
Set topic of your message to 'Encryption ID: [8 digit number]
1. Over time, the cost increases, do not waste your time
2. Only we can help you, for sure, no one else.
3. BE CAREFUL !!! If you still try to find other solutions to the problem, make a backup copy of the files you want to experiment on, and play with them. Otherwise, they can be permanently damaged
4. Any services that offer you help or just take money from you and disappear, or they will be intermediaries between us, with inflated value. Since the antidote is only among the creators of the virus'

Some variants of the 'Job2019@tutanota.com' Ransomware are said to produce a simple dialog box instead of the 'Your files are encrypted!' screen that says:

'All your files are encrypted
To decrypt your files, contact us using this e-mail: [email address] Please set topic 'Encryption ID: [8 digit number].
We offer free decryption of your test files as a proof. You can attach them to your e-mail, and we'll send you decrypted ones.
Decryption price increases over time, hurry up and get discount.
Decryption using third parties may lead to scam or increased price.'

The affected data may receive one of two extensions — '.ID-[8 digit number].[Job2019@tutanota.com].phobos' or '.ID-[8 digit number].[Job2019@tutanota.com].phobos.' For example, 'Sabaton-Carolus Rex.mp3' may be renamed to 'Sabaton-Carolus Rex.mp3.ID-91651720.[Job2019@tutanota.com].phobos' and 'Sabaton-Carolus Rex.mp3.ID-68941751.[Job2019@tutanota.com].phobos.' We recommend avoiding negotiations with the ransomware actors because you may not receive a decryptor. You should use data backups to rebuild your files structure and run a complete system scan to remove the resources that may have been left by the 'Job2019@tutanota.com' Ransomware.

Do You Suspect Your PC May Be Infected with Phobos Ransomware & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Phobos Ransomware as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Related Posts

2 Comments

  • mostafa ahmed:

    Hello ,
    we affected by phobos ransom and need tools to clean the virus from our network , and way to decrypt files however it will be cost
    so please advice and support us ASAP

    Regards

  • asam:

    As per our analysis, your files were encrypted by STOP Ransomware. Unfortunately, due to the method of encryption which this ransomware implies, the files are not decryptable.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.