Phobos Ransomware Decryption

Are your files encrypted by Phobos Ransomware and you need data recovery from Phobos?
You need Phobos Decrypor?
Is your server encrypted by Phobos Ransomware and you need data recovery?

If yes, then you are in the right place because we can help you better understand how Phobos Encryption works and how you can decrypt your files.

Learn more about the Phobos ransomware, its decryption, recovery, removal and statistics.

Our Ransomware recovery experts can help your business recover your files fast.

All our Ransomware Decryption process is performed via teamviewer or Splashtop, remotely after a scheduled consultation call.

If you want to start your Phobos Ransomware Decryption free ransomware assessment click here.

How do I know if Phobos Ransomware has encrypted my Server?

Phobos team is using is using the following extentions to encrypt files, so if you have this or similar extentions to your files, probably its Phobos:

.actin, .Acton, .actor, .Acuna, .actin, .Acton, .actor, .Acuff, .Acuna, .acute, .adage, .Adair, .Adame, .age, .angus,
.banhu, .banjo, .Banks, .Banta, .Barak, .barak, .bbc, .blend, .BORISHORSE, .bqux,
.Caleb, .Cales, .Caley, .calix, .Calle, .Calum, .Calvo, .CAPITAL, .com,
.DDoS, .deal, .deuce, .Dever, .devil, .Devoe, .Devon, .Devos, .dewar,
.eight, .eject, .eking, .Elbie, .elbow, .elder, .eject
.Frendi, .help, .HORSELIKER,
.KARLOS, .karma,
.mamba, .octopus,
.phobos, .phoenix, .PLUT,
.WALLET, .zax,

Your files should be unable to open up with any software.

This ransomware virus strain uses AES256 encryption to encrypt your files so you will not be able to decrypt them.

But how can I be sure that Phobos Ransomware family is the one that encrypted my files?

These are the symptomps and indications that show you that you have been infected by Phobos Ransomware:

PHOBOS Ransomware ransomware note file called: Your Files are Encrypted.Txt on the Desktop of the infected machine but also sometimes in the Documents folder
Your File extensions change to a format like this: <original name>.id[<victim ID>-<version ID>][<attacker’s e-mail>].<added extention> for example invoice3232.pdf.id[BAF3BBED-2822].[lyontrevor@aol.com]
You suddenly notice that you have lost your desktop wallpaper
You cannot use your antivirus software or it is deactivated without any obvious reason
A lot of your applications cannot work

Check some of the Phobos Ransomware Emails that you will find on your files:

If you find one of these emails in your files, then you are infected by Phobos:

2020×0@protonmail.com
2020x@cock.lu
2172998725@qq.com
2183313275@qq.com
Admincrypt@protonmail.com
Bexonvelia@aol.com
Datarest0re@aol.com
DavidsHelper@protonmail.com
DonovanTudor@aol.com
Everest_2010@aol.com
FobosAmerika@protonmail.ch
Keta990@protonmail.com
MerlinWebster@aol.com
OttoZimmerman@protonmail.ch
Quantroei@protonmail.com
Raphaeldupon@aol.com
SimpleSup@cock.li
SimpleSup@tutanota.com
Tedmundboardus@aol.com
The777@tuta.io
Unlockfiles@qq.com
William_Kidd_2019@protonmail.com
abbott_wearing@aol.com
absonkaine@aol.com
agent5305@firemail.cc
alphonsepercy@aol.com
anamciveen@aol.com
anygrishevich@yandex.ru
apoyo2019@protonmail.com
autrey.b@aol.com
b.morningtonjones@aol.com
back7@protonmail.ch
back_ins@protonmail.ch
backup.iso@aol.com
bad_boy700@aol.com
ban.out@foxmail.com
barcelona_100@aol.com
batecaddric@aol.com
bbbitcrypt@tutanota.com
bbitcrypt@protonmail.com
beautydonkey@xmpp.jp
beltoro905073@aol.com
berne.fiddell@aol.com
bexonvelia@aol.com
bowen.bord@aol.com
britt.looper@aol.com
burnofin@hotmail.com
cadillac.407@aol.com
captainpilot@cock.li
carmichael.lion@aol.com
cello_dodds@aol.com
cercisori1979@aol.com
chagenak@airmail.cc
checkcheck07@qq.com
chinadecrypt@fasthelpassia.com
christosblee@aol.com
ciaprepoulep1977@aol.com
cleverhorse@ctemplar.com
cleverhorse@protonmail.com
cleverhorse@xmpp.jp
com-gloria@protonmail.com
com-gloria@tutanota.com
cosmecollings@aol.com
costelloh@aol.com
crioso@protonmail.com
crysall.g@aol.com
cynthia-it@protonmail.com
danger@countermail.com
danianci@airmail.cc
darillkay@aol.com
datadecryption@countermail.com
debourbonvincenz@aol.com
decphob@protonmail.com
decphob@tuta.io
decriptionsupport911@airmail.cc
decrypt2020@aol.com
decrypt4data@protonmail.com
decrypt@files.mn
decrypt_here@xmpp.jp
decrypt_here@xrnpp.jp
decryptbox@airmail.cc
decryptfiles@420blaze.it
decryptfiles@cock.lu
decryptfiles@hot-chilli.eu
decryptfiles@qq.com
deltatech@tuta.io
deltatechit@protonmail.com
dennet.smellie@aol.com
dessert_guimauve@aol.com
dominga.k@aol.com
eccentric_inventor@aol.com
eddyayman@gmail.com
elizabeth67bysthompson@aol.com
elizabethz7cu1jones@aol.com
ezequielanthon@aol.com
fileb@protonmail.com
fileisafe@tuta.io
files2@protonmail.com
filesreturn@cock.li
flexney.pail@aol.com
francispilmoor@aol.com
friends2019@protonmail.com
funnyredfox@aol.com
gabbiemciveen@aol.com
gherardobaxter@aol.com
gomer_simpson2@aol.com
grattan.l@aol.com
grander123@tutanota.com –
greg.philipson@aol.com
gruzudo@cock.li
hadleeshelton@aol.com
hanesworth.fabian@aol.com
harlin_marten@aol.com
hartpole.danie@aol.com
helpisos@aol.com
helprecover@foxmail.com
helpteam38@protonmail.com
helpyourdata@qq.com
hickeyblair@aol.com
hidebak@protonmail.com
horsesecret@xmpp.jp
irvinclarke@aol.com
jabberpaybtc@sj.ms
jewkeswilmer@aol.com
job2019@tutanota.com
kabennalzly@aol.com
kalle.tomlin@aol.com
karlosdecrypt@outlook.com
kenny.sarginson@aol.com
kew07@qq.com
key07@qq.com
keysfordecryption@airmail.cc
keysfordecryption@jabb3r.org
kickclak@cock.li
kickclakus@protonmail.com
klemens.stobe@aol.com
kokux@tutanota.com
kokux@tutanota.corn
kylenoble726@aol.com
lachneyorlachb@aol.com
larabita@cock.li
leeming.derick@aol.com
leonardo@cock.lu
lewisswaffield.a@aol.com
limboshuran@cock.li
lockhelp@qq.com
lockhelp@xmpp.jp
lofutesdogg1983@aol.com
luciolussenhoff@aol.com
lucky_top@protonmail.com
maitlandtiffaney@aol.com
mccreight.ellery@tutanota.com
mecybaki@firemail.cc
member987@cock.li
member987@tutanota.com
mr.helper@jabb3r.de
mr.helper@qq.com
naqohiky@firemail.cc
nichols_l@aol.com
night_illusion@aol.com
noyes.brice@aol.com
octopusdoc@airmail.cc
octopusdoc@mail.ee
ofizducwe111988@aol.com
ofizducwell1988@aol.com
online24decrypt@airmail.cc
onlyfiles@aol.com
painplain98@protonmail.com
paper_plane1@aol.com
park.jehu@aol.com
patern32@protonmail.com
patiscaje@airmail.cc
paybtc@sj.ms
phobos.encrypt@qq.com
phobos_healper@xmpp.jp
phobos_helper@exploit.im
phobos_helper@xmpp.jp
phobos_helpper@xmpp.jp
phobosrecovery@cock.li
phobosrecovery@tutanota.com
pixell@cock.li
pixell@tutanota.com
plombiren@qq.com
posiccimen1982@aol.com
prejimzalma1972@aol.com
prndssdnrp@mail.fr
ramsey_frederick@aol.com
randal_inman@aol.com
raphaeldupon@aol.com
raynorzlol@protonmail.com
raynorzlol@thesecure.biz
raynorzlol@tutanota.com
recoverhelp2020@thesecure.biz
recovermyfiles2019@thesecure.biz
recoveryfast@airmail.cc
relvirosa1981@aol.com
repairfiles@foxmail.com
restorebackup@qq.com
restoringbackup@airmail.cc
returnmefiles@aol.com
robinhood@countermail.com
sailormorgan@protonmail.com
savemyself1@tutanota.com
saveyourfiles@qq.com
simonsbarth@aol.com
sookie.stackhouse@gmx.com
squadhack@email.tg
stanodexne1982@aol.com
stocklock@airmail.cc
stuart.wittie@aol.com
subik099@tutanota.com
supportcrypt2019@cock.li
supportcrypt2019@protonmail.com
sverdlink@aol.com
taverptintra1985@aol.com
tedmundboardus@aol.com
thedecrypt111@qq.com
theonlyoption@qq.com
thorpe.grand@aol.com
tirrellipps@aol.com
tirrelllipps@aol.com
tlalipidas1978@aol.com
tlalipidas1978@aol.com.exe
topot@cock.li
tylecotebenji@aol.com
upfileme@protonmail.com
verious1@cock.li
veritablebee@protonmail.ch
viadolorosa@tuta.io
waitheisenberg@xmpp.jp
walletdata@hotmail.com
walletwix@aol.com
wang_team777@aol.com
wang_team999@aol.com
washapen@cock.li
werichbin@cock.li
werichbin@protonmail.com
wewillhelpyou@qq.com
wiruxa@airmail.cc
withdirimugh1982@aol.com
worldofdonkeys@protonmail.com
worldofdonkeys@xmpp.jp
xxxnxxx@cock.li
yongloun@tutanota.com
youcanwrite24h@airmail.cc
zax4444@qq.com
zax444@qq.com
zoye1596@msgden.net
zoye596@protonmail.com
cynthia-it@protonmail.com
leonardo@cock.lu
Troll900@tutamail.com
robinhood@countermail.com
ryuhb12@protonmail.com
support24@firemail.cc
ftsbk@protonmail.com
rapidorecovery@protonmail.com
sifremialayim@cock.li
datawarehouse@inbox.ru
Unlockm301@cock.li
bitlander@armormail.net
trimak@cock.li
tracks@keemail.me
grander123@tutanota.com
grander123@protonmail.com
eject24h@protonmail.com

How Phobos Decryptor works

In the following video you can see how Phobos Decryptor works to decrypt your files but also how you files are being encrypted with Phobos Ransomware

Antivirus Software recognize Phobos Family like this

Dr.Web: Trojan.Encoder.27737, Trojan.PWS.Banker1.30220, Trojan.Encoder.28637, Trojan.Encoder.28626, Trojan.Encoder.29362, Trojan.Encoder.31543
BitDefender: Trojan.GenericKD.31737610, Gen:Variant.Ulise.24543, Trojan.GenericKD.31838640, Gen:Variant.Ulise.36831, Gen:Variant.Ransom.Phobos.*, Gen:Variant.Ulise.39944, Gen:Variant.Graftor.651871, Trojan.Ransom.Phobos.F
ESET-NOD32: Win32/Filecoder.Phobos, A Variant Of Win32/Kryptik.GOLH, A Variant Of Win32/Filecoder.Phobos.A, A Variant Of Win32/Filecoder.Phobos.B, A Variant Of Win32/Filecoder.Phobos.C
ALYac: Trojan.Ransom.Phobos
Ikarus: Trojan-Ransom.Phobos
Malwarebytes: Trojan.Crypt, Ransom.Phobos
Sophos AV: Troj/Phobos-B
Symantec: ML.Attribute.HighConfidence
VBA32: BScope.TrojanRansom.Blocker

Phobos Ransomware Emails

Phobos Ransomware Note Example 1

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail lockhelp@qq.com
Write this ID in the title of your message 000QQQ
If there is no response from our mail, you can install the Jabber client and write to us in support of lockhelp@xmpp.jp
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. 

Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. 
https://localbitcoins.com/buy_bitcoins 
Also you can find other places to buy Bitcoins and beginners guide here: 
http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Phobos Ransomware Note Example 2

!!! All your data is encrypted !!!
To decrypt them send email to this address: lockhelp@qq.com
If there is no response from our mail, you can install the Jabber client and write to us in support of lockhelp@xmpp.jp

Phobos Ransomware Note Example 3

Sometimes ransomware operators do not leave any ransomware note.

In such cases the contact name of the operator is on the actual files.

When analysing the file names we can see that you can find a unique identifier for each encryption source plus the operator ID.

Its very important to enumerate all IDs when dealing with the ransomware attack.

An example is this: instroctions_For_clients.docx.id[BAF3BBED-2822].[lyontrevor@aol.com].eight

Statistics of Phobos Ransomware

Characteristics of Phobos Ransomware attacks

Operators of Phobos ransomware are targeting large organizations usually. That’s why Ransom Payments for Phobos are quite high.
The average Phobos Ransom request is usually between $5,000–$25,000. In addition, approximately 10% -15% of Bitcoin exchange fees are applied when using buy options such Wire transfer, Paypal or Credit card.

Generic Decryption Success Rates of Phobos Ransomware

Unfortunately Phobos Ransomware Operators in generic are one of the worst group when examining reliability.

Operators according to our experience do not have a good reputation in general.

Generic Success Rate of Phobos Ransomware Decryption: 82% (17% demand more ransom payment after first payment)
Some of them deliver vague instructions and victims can mess things up when running the decryptor.
Some others demand more payment for no obvuous reason than blackmailing you.

Also we have seen cases that the operators take your money and go away.

Some attackers have a good reputation for providing working Phobos decryptors. Others are known as scammers and will never provide a decryption tool.

Unfortunately, hackers will receive the ransom payment and get away with it, leaving the victim in cold waters.

How does the Ransomware infect the infrastructure

Remote Desktop Connection: 83%
Phishing Emails: 16%
Infrastructure Vulnerabilities: 3%

Average Length of Phobos Ransomware Incident Resolution

Without Tictaclabs Help: 13-17 days
With Tictaclabs Help: 3-7 days

My files are encrypted by Phobos, what should I do now?

First of all don’t panic, since we have many options to help you.

If you do not understand what a Ransomware Virus is, you should read our dedicated section on What is Ransomware.

Please read our instructions carefully:

Disconnect the infected computer from the network
Do not attempt any communication with the hackers
Take a full image backup of your system… yes it can be worse than just the encryption
Report the crime to your local Cyber Crimes Department
Phobos Ransomware, if left unattended, will try to encrypt all your infrastructure
Talk to our Ransomware Incident Response Team, because we have a very good chance to get your files 100% recovered faster than you can, and probably without any payment.