How to remove Phobos ransomware from PC

Files encrypted by Phobos ransomware: Is there any solution?

Phobos ransomware is the file locker infection that locks files and then blackmails its victims to pay money. This malware renames all encrypted files by adding .phobos extension plus a unique victim’s associated ID number and email address belongs to the developers behind the threat. This malware uses AES cryptography to encrypt user’s crucial files. Soon after the encryption, it generates an HTML application (“Phobos.hta”) and opens a pop-up window.

The created file states that decryption requires a unique decryption tool that can only be purchased from Phobos ransomware developers. The victims can contact them through the provided email address. To get the files, users have to pay $3000 in Bitcoin cryptocurrency. They also inform users to pay money to the provided BTC address within 6 hours otherwise the price will be increased by $2000 and then the total cost of decryption tool is $5000.

As a proof that there tool is really working, they offer free decryption of some files. They also urged victims to contact them as soon as possible supposedly the sooner the cyber criminals are contacted, the lower the cost of decryptions. Despite this, they also warn users not to try any other tools and rename the encrypted files or otherwise the last hope of files decryption will permanently be deleted.

How did Phobos ransomware intrude in?

Ransomware viruses mostly infiltrate through dubious software download sources, Trojans, fake software updater’s and spam email campaigns. Trojans are malicious apps that cause chain infection. Fake software updaters exploit bugs/flaws or directly download malware instead of providing updates. Spam emails containing infectious files or website links for such files as they are sent as a campaign in order to trick users into believing that the emails they are receiving is important and useful.

Opening these attachments or installing malicious software usually causes computer infection with ransomware or other high risk viruses. Cyber criminals use untrustworthy sources (peer to peer networks, free file hosting websites, freeware download websites etc) to infiltrate malicious files by presenting is as legitimate. Finally, cracking tools infect computer by supposedly bypassing activation key for paid software. All these methods are used for ransomware and other malware distribution.

What to do when your system get infected?

Despite the above statements, you should not trust on the cyber criminals and must not contact or pay ransom to them under any circumstances. Paying money to them does not generate any positive results and you will be scammed. In case they provide such key, it might possible that the key may not work properly or contain lots of viruses that will fetch your personal as well as banking details. So, you are highly advised to remove Phobos ransomware completely from the system to avoid further infections. To do so, you are highly suggested to use some powerful anti-malware program. Once malware gets removed, you can restore your files using existing backup. If backup files are not available you can use other data recovery tool.

Steps to avoid ransomware infections:

• Browse safely and avoid visiting unreliable websites especially related to adult dating, gambling, pornography and so on.
• Don’t open any spam email attachments if received from suspicious addresses. It is hard to find their symptoms but they mostly have lot of spelling and grammar mistake in their content.
• Avoid downloading random files and programs. Read their terms and agreements as well as privacy policy very carefully. Choose custom or advance options so that hidden files could be avoided.
• For any applications download, use only official and verified sources and avoid using unreliable software download channels (such as questionable pages, third party installer, free file hosting sites etc).

Text presented in Phobos ransomware pop-up window:

All your files are encrypted
To decrypt your files, contact us using this e-mail: [email protected] Please set topic ‘Encryption ID: ********’.

We offer free decryption of your test files as a proof. You can attach them to your e-mail and we’ll send you decrypted ones.
Decryption price increases over time, hurry up and get discount.
Decryption using third parties may lead to scam or increased price.

Text presented in a second variant of Phobos ransomware pop-up window:

All your files are encrypted
Hello World
Data on this PC turned into a useless binary code
To return to normal, please contact us by this e-mail: [email protected], [email protected], [email protected]
Set topic of your message to ‘Encryption ID: ********’
Interesting Facts:
• 1. Over time, the cost increases, do not waste your time
• 2. Only we can help you, for sure, no one else.
• 3. BE CAREFUL !!! If you still try to find other solutions to the problem, make a backup copy of the files you want to experiment on, and play with them. Otherwise, they can be permanently damaged
• 4. Any services that offer you help or just take money from you and disappear, or they will be intermediaries between us, with inflated value. Since the antidote is only among the creators of the virus

Antimalware Details And User Guide

Click Here For Windows

Click Here For Mac

Step 1: Remove Phobos ransomware through “Safe Mode with Networking”

Step 2: Delete Phobos ransomware using “System Restore”

Step 1: Remove Phobos ransomware through “Safe Mode with Networking”

For Windows XP and Windows 7 users: Boot the PC in “Safe Mode”. Click on “Start” option and continuously press on F8 during the start process until the “Windows Advanced Option” menu appears on the screen. Choose “Safe Mode with Networking” from the list.

Now, a windows homescreen appears on the desktop and work-station is now working on “Safe mode with networking”.

For Windows 8 Users: Go to the “Start Screen”. In the search results select settings, type “Advanced”. In the “General PC Settings” option, choose “Advanced startup” option. Again, click on the “Restart Now” option. The work-station boots to “Advanced Startup Option Menu”. Press on “Troubleshoot” and then “Advanced options” button.  In the “Advanced Option Screen”, press on “Startup Settings”. Again, click on “Restart” button. The work-station will now restart in to the “Startup Setting” screen. Next is to press F5 to boot in Safe Mode in Networking.

For Windows 10 Users: Press on Windows logo and on the “Power” icon. In the newly opened menu, choose “Restart” while continuously holding “Shift” button on the keyboard. In the new open “Choose an option” window, click on “Troubleshoot” and then on the “Advanced Options”. Select “Startup Settings” and press on “Restart”. In the next window, click on “F5” button on the key-board.

Step 2: Delete Phobos ransomware using “System Restore”

Log-in to the account infected with Phobos ransomware. Open the browser and download a legitimate anti-malware tool. Do a full System scanning. Remove all the malicious detected entries.

In case if you cannot start the PC in “Safe Mode with Networking”, Try using “System Restore”

• During the “Startup”, continuously press on F8 key until the “Advanced Option” menu appears. From the list, choose “Safe Mode with Command Prompt” and then press “Enter”

• In the new opened command prompt, enter “cd restore” and then press “Enter”.

• Type: rstrui.exe and Press “ENTER”

• Click “Next” on the new windows

• Choose any of the “Restore Points” and click on “Next”. (This step will restore the work-station to its earlier time and date prior to Phobos ransomware infiltration in the PC.

• In the newly opened windows, press on “Yes”.

Once your PC gets restored to its previous date and time, download the recommended anti-malware tool and perform a deep scanning in order to remove Phobos ransomware files if they left in the work-station.

In order to restore the each (separate) file by this ransomware, use “Windows Previous Version” feature. This method is effective when “System Restore Function” is enabled in the work-station.

Important Note: Some variants of Phobos ransomware delete the “Shadow Volume Copies” as well hence this feature may not work all the time and is applicable for selective computers only.

How to Restore Individual Encrypted File:

In order to restore a single file, right click on it and go to “Properties”. Select “Previous Version” tab. Select a “Restore Point” and click on “Restore” option.

In order to access the files encrypted by Phobos ransomware, you can also try using “Shadow Explorer”. In order to get more information on this application, press here.

Important: Data Encryption Ransomware are highly dangerous and it is always better that you take precautions to avoid its attack on your work-station. It is advised to use a powerful anti-malware tool in order to get protection in real-time. With this help of “SpyHunter”, “group policy objects” are implanted in the registries in order to block harmful infections like Phobos ransomware.

Also, In Windows 10, you get a very unique feature called “Fall Creators Update” that offer “Controlled Folder Access” feature in order to block any kind of encryption to the files. With the help of this feature, any files stored in the locations such as “Documents”, “Pictures”, “Music”, “Videos”, “Favorites” and “Desktop” folders are safe by default.

It is very important that you install this “Windows 10 Fall Creators Update” in your PC to protect your important files and data from ransomware encryption. The more information on how to get this update and add an additional protection form rnasomware attack has been discussed here.

How to Recover the Files Encrypted by Phobos ransomware?

Till now, you would have understood that what had happed to your personal files that got encrypted and how you can remove the scripts and payloads associated with Phobos ransomware in order to protect your personal files that has not been damaged or encrypted until now. In order to retrieve the locked files, the depth information related to “System Restore” and “Shadow Volume Copies” has already been discussed earlier. However, in case if you are still unable to access the encrypted files then you can try using a data recovery tool.

Use of Data Recovery Tool

This step is for all those victims who have already tries all the above mentioned process but didn’t find any solution. Also it is important that you are able to access the PC and can install any software. The data recovery tool works on the basis of System scanning and recovery algorithm. It searches the System partitions in order to locate the original files which were deleted, corrupted or damaged by the malware. Remember that you must not re-install the Windows OS otherwise the “previous” copies will get deleted permanently. You have to clean the work-station at first and remove Phobos ransomware infection. Leave the locked files as it is and follow the steps mentioned below.

Step1: Download the software in the work-station by clicking on the “Download” button below.

Step2: Execute the installer by clicking on downloaded files.

Step3: A license agreement page appears on the screen. Click on “Accept” to agree with its terms and use. Follow the on-screen instruction as mentioned and click on “Finish” button.

Step4: Once the installation gets completed, the program gets executed automatically. In the newly opened interface, select the file types that you want to recover and click on “Next”.

Step5: You can select the “Drives” on which you want the software to run and execute the recovery process. Next is to click on the “Scan” button.

Step6: Based on drive you select for scanning, the restore process begins. The whole process may take time depending on the volume of the selected drive and number of files. Once the process gets completed, a data explorer appears on the screen with preview of that data that is to be recovered. Select the files that you want to restore.

Step7. Next is to locate the location where you want to saver the recovered files.