Recovery & Decryption
Phobos Ransomware Recovery & Decryption
Are your files encrypted by Phobos Ransomware and you need data recovery from Phobos?
If yes, then it is a company-wide encryption. Learn more about the Phobos ransomware, its decryption, recovery, removal and statistics.
Our Ransomware data recovery experts can help your business recover your files fast.
All our Ransomware Decryption process is performed remotely and we can schedule a consultation call with your team to assess the damage done to your files.
How do I know if Phobos Ransomware has infected my infrastructure?
When your files are unable to open, your databases are not working any more and you get a notice demanding a ransom payment in order to unlock your files, then you are probably a victim of a ransomware attack.
Phobos Ransomware was firstly detected in October 2017, and its a new ransomware virus family that is related to Dharma Ransomware.
This ransomware strain uses AES 256-bit encryption, thus making it almost impossible to decrypt your files using a free decryptor tool.
But how can I be sure that Phobos Ransomware family is the one that encrypted my files?
These are the symptomps and indications that show you that you have been infected by Phobos Ransomware:
- PHOBOS Ransomware leaves a ransomware note file called: Your Files are Encrypted.Txt on the Desktop of the infected machine but also sometimes in the Documents folder
- Your File extensions change to a format like this: <original name>.id[<victim ID>-<version ID>][<attacker’s e-mail>].<added extention> for example invoice3232.pdf.id[BAF3BBED-2822].[lyontrevor@aol.com]
- You suddenly notice that you have lost your desktop wallpaper
- Your CPU showing 100% peak value even though no applications are running
- Your computer is very slow
- Your hard disk is constantly showing operation at 100% and is very slow
- You cannot use your antivirus software or it is deactivated without any obvious reason
- A lot of your applications cannot execute (including your SQL server cannot load the databases)
Antivirus Software recognize Phobos Family like this
- Dr.Web: Trojan.Encoder.27737, Trojan.PWS.Banker1.30220, Trojan.Encoder.28637, Trojan.Encoder.28626, Trojan.Encoder.29362, Trojan.Encoder.31543
- BitDefender: Trojan.GenericKD.31737610, Gen:Variant.Ulise.24543, Trojan.GenericKD.31838640, Gen:Variant.Ulise.36831, Gen:Variant.Ransom.Phobos.*, Gen:Variant.Ulise.39944, Gen:Variant.Graftor.651871, Trojan.Ransom.Phobos.F
- ESET-NOD32: Win32/Filecoder.Phobos, A Variant Of Win32/Kryptik.GOLH, A Variant Of Win32/Filecoder.Phobos.A, A Variant Of Win32/Filecoder.Phobos.B, A Variant Of Win32/Filecoder.Phobos.C
- ALYac: Trojan.Ransom.Phobos
- Ikarus: Trojan-Ransom.Phobos
- Malwarebytes: Trojan.Crypt, Ransom.Phobos
- Sophos AV: Troj/Phobos-B
- Symantec: ML.Attribute.HighConfidence
- VBA32: BScope.TrojanRansom.Blocker
Phobos Ransomware File Extentions
Phobos team is using is using the following extentions to encrypt files:
- .actin, .Acton, .actor, .Acuna, .actin, .Acton, .actor, .Acuff, .Acuna, .acute, .adage, .Adair, .Adame, .age, .angus,
- .banhu, .banjo, .Banks, .Banta, .Barak, .barak, .bbc, .blend, .BORISHORSE, .bqux,
- .Caleb, .Cales, .Caley, .calix, .Calle, .Calum, .Calvo, .CAPITAL, .com,
- .DDoS, .deal, .deuce, .Dever, .devil, .Devoe, .Devon, .Devos, .dewar,
- .eight, .eject, .eking, .Elbie, .elbow, .elder, .eject
- .Frendi, .help, .HORSELIKER,
- .KARLOS, .karma,
- .mamba, .octopus,
- .phobos, .phoenix, .PLUT,
- .WALLET, .zax,
Phobos Ransomware Emails
If you find one of these emails in your files, then you are infected by Phobos:
- 2020×0@protonmail.com
- 2020x@cock.lu
- 2172998725@qq.com
- 2183313275@qq.com
- Admincrypt@protonmail.com
- Bexonvelia@aol.com
- Datarest0re@aol.com
- DavidsHelper@protonmail.com
- DonovanTudor@aol.com
- Everest_2010@aol.com
- FobosAmerika@protonmail.ch
- Keta990@protonmail.com
- MerlinWebster@aol.com
- OttoZimmerman@protonmail.ch
- Quantroei@protonmail.com
- Raphaeldupon@aol.com
- SimpleSup@cock.li
- SimpleSup@tutanota.com
- Tedmundboardus@aol.com
- The777@tuta.io
- Unlockfiles@qq.com
- William_Kidd_2019@protonmail.com
- abbott_wearing@aol.com
- absonkaine@aol.com
- agent5305@firemail.cc
- alphonsepercy@aol.com
- anamciveen@aol.com
- anygrishevich@yandex.ru
- apoyo2019@protonmail.com
- autrey.b@aol.com
- b.morningtonjones@aol.com
- back7@protonmail.ch
- back_ins@protonmail.ch
- backup.iso@aol.com
- bad_boy700@aol.com
- ban.out@foxmail.com
- barcelona_100@aol.com
- batecaddric@aol.com
- bbbitcrypt@tutanota.com
- bbitcrypt@protonmail.com
- beautydonkey@xmpp.jp
- beltoro905073@aol.com
- berne.fiddell@aol.com
- bexonvelia@aol.com
- bowen.bord@aol.com
- britt.looper@aol.com
- burnofin@hotmail.com
- cadillac.407@aol.com
- captainpilot@cock.li
- carmichael.lion@aol.com
- cello_dodds@aol.com
- cercisori1979@aol.com
- chagenak@airmail.cc
- checkcheck07@qq.com
- chinadecrypt@fasthelpassia.com
- christosblee@aol.com
- ciaprepoulep1977@aol.com
- cleverhorse@ctemplar.com
- cleverhorse@protonmail.com
- cleverhorse@xmpp.jp
- com-gloria@protonmail.com
- com-gloria@tutanota.com
- cosmecollings@aol.com
- costelloh@aol.com
- crioso@protonmail.com
- crysall.g@aol.com
- cynthia-it@protonmail.com
- danger@countermail.com
- danianci@airmail.cc
- darillkay@aol.com
- datadecryption@countermail.com
- debourbonvincenz@aol.com
- decphob@protonmail.com
- decphob@tuta.io
- decriptionsupport911@airmail.cc
- decrypt2020@aol.com
- decrypt4data@protonmail.com
- decrypt@files.mn
- decrypt_here@xmpp.jp
- decrypt_here@xrnpp.jp
- decryptbox@airmail.cc
- decryptfiles@420blaze.it
- decryptfiles@cock.lu
- decryptfiles@hot-chilli.eu
- decryptfiles@qq.com
- deltatech@tuta.io
- deltatechit@protonmail.com
- dennet.smellie@aol.com
- dessert_guimauve@aol.com
- dominga.k@aol.com
- eccentric_inventor@aol.com
- eddyayman@gmail.com
- elizabeth67bysthompson@aol.com
- elizabethz7cu1jones@aol.com
- ezequielanthon@aol.com
- fileb@protonmail.com
- fileisafe@tuta.io
- files2@protonmail.com
- filesreturn@cock.li
- flexney.pail@aol.com
- francispilmoor@aol.com
- friends2019@protonmail.com
- funnyredfox@aol.com
- gabbiemciveen@aol.com
- gherardobaxter@aol.com
- gomer_simpson2@aol.com
- grattan.l@aol.com
- grander123@tutanota.com –
- greg.philipson@aol.com
- gruzudo@cock.li
- hadleeshelton@aol.com
- hanesworth.fabian@aol.com
- harlin_marten@aol.com
- hartpole.danie@aol.com
- helpisos@aol.com
- helprecover@foxmail.com
- helpteam38@protonmail.com
- helpyourdata@qq.com
- hickeyblair@aol.com
- hidebak@protonmail.com
- horsesecret@xmpp.jp
- irvinclarke@aol.com
- jabberpaybtc@sj.ms
- jewkeswilmer@aol.com
- job2019@tutanota.com
- kabennalzly@aol.com
- kalle.tomlin@aol.com
- karlosdecrypt@outlook.com
- kenny.sarginson@aol.com
- kew07@qq.com
- key07@qq.com
- keysfordecryption@airmail.cc
- keysfordecryption@jabb3r.org
- kickclak@cock.li
- kickclakus@protonmail.com
- klemens.stobe@aol.com
- kokux@tutanota.com
- kokux@tutanota.corn
- kylenoble726@aol.com
- lachneyorlachb@aol.com
- larabita@cock.li
- leeming.derick@aol.com
- leonardo@cock.lu
- lewisswaffield.a@aol.com
- limboshuran@cock.li
- lockhelp@qq.com
- lockhelp@xmpp.jp
- lofutesdogg1983@aol.com
- luciolussenhoff@aol.com
- lucky_top@protonmail.com
- maitlandtiffaney@aol.com
- mccreight.ellery@tutanota.com
- mecybaki@firemail.cc
- member987@cock.li
- member987@tutanota.com
- mr.helper@jabb3r.de
- mr.helper@qq.com
- naqohiky@firemail.cc
- nichols_l@aol.com
- night_illusion@aol.com
- noyes.brice@aol.com
- octopusdoc@airmail.cc
- octopusdoc@mail.ee
- ofizducwe111988@aol.com
- ofizducwell1988@aol.com
- online24decrypt@airmail.cc
- onlyfiles@aol.com
- painplain98@protonmail.com
- paper_plane1@aol.com
- park.jehu@aol.com
- patern32@protonmail.com
- patiscaje@airmail.cc
- paybtc@sj.ms
- phobos.encrypt@qq.com
- phobos_healper@xmpp.jp
- phobos_helper@exploit.im
- phobos_helper@xmpp.jp
- phobos_helpper@xmpp.jp
- phobosrecovery@cock.li
- phobosrecovery@tutanota.com
- pixell@cock.li
- pixell@tutanota.com
- plombiren@qq.com
- posiccimen1982@aol.com
- prejimzalma1972@aol.com
- prndssdnrp@mail.fr
- ramsey_frederick@aol.com
- randal_inman@aol.com
- raphaeldupon@aol.com
- raynorzlol@protonmail.com
- raynorzlol@thesecure.biz
- raynorzlol@tutanota.com
- recoverhelp2020@thesecure.biz
- recovermyfiles2019@thesecure.biz
- recoveryfast@airmail.cc
- relvirosa1981@aol.com
- repairfiles@foxmail.com
- restorebackup@qq.com
- restoringbackup@airmail.cc
- returnmefiles@aol.com
- robinhood@countermail.com
- sailormorgan@protonmail.com
- savemyself1@tutanota.com
- saveyourfiles@qq.com
- simonsbarth@aol.com
- sookie.stackhouse@gmx.com
- squadhack@email.tg
- stanodexne1982@aol.com
- stocklock@airmail.cc
- stuart.wittie@aol.com
- subik099@tutanota.com
- supportcrypt2019@cock.li
- supportcrypt2019@protonmail.com
- sverdlink@aol.com
- taverptintra1985@aol.com
- tedmundboardus@aol.com
- thedecrypt111@qq.com
- theonlyoption@qq.com
- thorpe.grand@aol.com
- tirrellipps@aol.com
- tirrelllipps@aol.com
- tlalipidas1978@aol.com
- tlalipidas1978@aol.com.exe
- topot@cock.li
- tylecotebenji@aol.com
- upfileme@protonmail.com
- verious1@cock.li
- veritablebee@protonmail.ch
- viadolorosa@tuta.io
- waitheisenberg@xmpp.jp
- walletdata@hotmail.com
- walletwix@aol.com
- wang_team777@aol.com
- wang_team999@aol.com
- washapen@cock.li
- werichbin@cock.li
- werichbin@protonmail.com
- wewillhelpyou@qq.com
- wiruxa@airmail.cc
- withdirimugh1982@aol.com
- worldofdonkeys@protonmail.com
- worldofdonkeys@xmpp.jp
- xxxnxxx@cock.li
- yongloun@tutanota.com
- youcanwrite24h@airmail.cc
- zax4444@qq.com
- zax444@qq.com
- zoye1596@msgden.net
- zoye596@protonmail.com
- cynthia-it@protonmail.com
- leonardo@cock.lu
- Troll900@tutamail.com
- robinhood@countermail.com
- ryuhb12@protonmail.com
- support24@firemail.cc
- ftsbk@protonmail.com
- rapidorecovery@protonmail.com
- sifremialayim@cock.li
- datawarehouse@inbox.ru
- Unlockm301@cock.li
- bitlander@armormail.net
- trimak@cock.li
- tracks@keemail.me
- grander123@tutanota.com
- grander123@protonmail.com
- eject24h@protonmail.com
Phobos Ransomware Note Example 1
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail lockhelp@qq.com Write this ID in the title of your message 000QQQ If there is no response from our mail, you can install the Jabber client and write to us in support of lockhelp@xmpp.jp You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Phobos Ransomware Note Example 2
!!! All your data is encrypted !!! To decrypt them send email to this address: lockhelp@qq.com If there is no response from our mail, you can install the Jabber client and write to us in support of lockhelp@xmpp.jp
Phobos Ransomware Note Example 3
Sometimes ransomware operators do not leave any ransomware note.
In such cases the contact name of the operator is on the actual files.
When analysing the file names we can see that you can find a unique identifier for each encryption source plus the operator ID.
Its very important to enumerate all IDs when dealing with the ransomware attack.
An example is this: instroctions_For_clients.docx.id[BAF3BBED-2822].[lyontrevor@aol.com].eight
How does the Ransomware infect the infrastructure
- Remote Desktop Connection: 83%
- Phishing Emails: 16%
- Infrastructure Vulnerabilities: 3%
Generic Decryption Success Rates of Phobos Ransomware
Unfortunately Phobos Ransomware Operators in generic are one of the worst group when examining reliability.
Operators according to our experience do not have a good reputation in general.
- Generic Success Rate of Phobos Ransomware Decryption: 82% (17% demand more ransom payment after first payment)
- Some of them deliver vague instructions and victims can mess things up when running the decryptor.
- Some others demand more payment for no obvuous reason than blackmailing you.
Also we have seen cases that the operators take your money and go away.
Some attackers have a good reputation for providing working Phobos decryptors. Others are known as scammers and will never provide a decryption tool.
Unfortunately, hackers will receive the ransom payment and get away with it, leaving the victim in cold waters.
Characteristics of Phobos Ransomware attacks
- Operators of Phobos ransomware are targeting large organizations usually. That’s why Ransom Payments for Phobos are quite high.
- The average Phobos Ransom request is usually between $5,000–$25,000. In addition, approximately 10% -15% of Bitcoin exchange fees are applied when using buy options such Wire transfer, Paypal or Credit card.
Average Length of Phobos Ransomware Incident Resolution
- Without Tictaclabs Help: 13-17 days
- With Tictaclabs Help: 3-7 days
My files are encrypted by Phobos, what should I do now?
First of all don’t panic, since we have many options to help you.
If you do not understand what a Ransomware Virus is, you should read our dedicated section on What is Ransomware.
Please read our instructions carefully:
- Disconnect the infected computer from the network
- Do not attempt any communication with the hackers
- Take a full image backup of your system… yes it can be worse than just the encryption
- Report the crime to your local Cyber Crimes Department
- Phobos Ransomware, if left unattended, will try to encrypt all your infrastructure
- Talk to our Ransomware Incident Response Team, because we have a very good chance to get your files 100% recovered faster than you can, and probably without any payment.
Let’s Work Together
on Cyber Security