Remove Phobos Ransomware (+.Phobos File Recovery)

How to Remove Phobos Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

All your files are encrypted
To decrypt your files, contact us using this e-mail: Cadillac.407@aol.com Please set topic ‘Encryption ID: ********’.

We offer free decryption of your test files as a proof. You can attach them to your e-mail and we’ll send you decrypted ones.
Decryption price increases over time, hurry up and get discount.
Decryption using third parties may lead to scam or increased price.

Phobos is the latest ransomware to plague users. It’s a malicious infection that invades your PC via trickery. Then, spreads its corruption throughout, and extorts you. Let’s explain. The ransomware slithers its way into your system, then wastes no time. It uses AES cryptography to encrypt your data, and take control. Every video, document, archive, picture, everything gets encrypted. The tool appends ‘.phobos’ at the end of each file. And, thus, makes it unusable. After the extension gets added, you can no longer access your files. Say, you have a file called ‘yes.jpg.‘ You come to find it as ‘yes.jpg.ID-63857777.[Job2019@tutanota.com].phobos.’ Or, as ‘yes.jpg.ID-63857777.[Cadillac.407@aol.com].phobos.’ Both are possible. The infection places these precise extensions with a purpose. It, then, urges you to contact them, and to do so by means of the aforementioned email addresses. What’s more, you’re expected to do it, as soon as possible. You best believe these criminals stress the importance of urgency. After they lock your data, they generate an HTML application, called ‘Phobos.hta.‘ It displays the ransom note that contains their instructions. You’re expected to contact them ASAP via the provided email. And, of course, to pay a ransom, if you wish to free your files. Supposedly, “decryption price increases over time.” So, they advise you to “hurry up and get discount.” Not only that, but they claim that if you turn to third-party help, that “may lead to increased price.” Don’t fall for their trickery. They’re hoping to frighten you into compliance. But, the best course of action you can take, is NOT to comply. Don’t reach out o them or pay the ransom. Forsake your files, and move on. Yes, it’s a difficult concept to grasp, but you’re better off with no files than dealing with a ransomware. You have to realize, that the game is set up for you to lose. Ransomware infections, like Phobos, are formidable foes. Cut your losses. Say goodbye to your files, and start using external storage or cloud services.

How did I get infected with?

Phobos uses the old but gold invasive methods. It hides behind corrupted links, sites, or torrents. It conceals itself behind spam email attachments. Or, uses freeware as a way in. The tool has a myriad of ways to use and invade. But each one can’t prove successful without your assistance. Yes, the infection needs your carelessness. Without it, the ransomware can’t slither in undetected, and wreak havoc. Phobos needs you to rush, and skip reading terms and conditions. It needs you to agree to everything in haste, and hope for the best. It preys on your naivety. Don’t ease its infiltration. Don’t throw caution to the wind, and rely on luck. Always choose vigilance over the lack thereof. Even a little extra attention goes a long way. Carelessness tends to be a one-way street to infections. Remember that.

Why is Phobos dangerous?

After Phobos strikes, you have a choice to make. To pay or not to pay. Let’s examine your options. If you choose to comply, contact these people, and pay the ransom, what then? What do you imagine happens, after you send the requested sum? Well, you wait. You wait to see if these cyber criminals keep their promise to send you the proper decryption key, you need. That’s hardly wise. You can’t put your faith into strangers that seized control over your data. Don’t expect them to keep their word. You have zero guarantees of their trustworthiness. They can choose not to send you a key, or send one that doesn’t work. And, even if they send the proper one, that’s still no cause for celebration. Think about it. If you apply the decryption key, and free your files, what happens next? You haven’t removed the infection itself, but rather a symptom of it. The ransomware remains, and it can attack your data again. Nothing stops it from encrypting your files again. And, demanding yet another payment. What are you going to do? Pay these people until you’re left with no money? Cut your losses! Forsake your files. And, instead of putting your faith into empty promises, put it elsewhere. Backup your files.

Phobos Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Phobos Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Phobos encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Phobos encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.