Phobos Ransomware Removal Guide

We want to inform you that Phobos Ransomware is a new ransomware-type computer infection set to infect your computer by stealth and encrypt your personal files using an advanced encryption algorithm and then demand that you pay a ransom to get them back. However, you ought to remove it instead because there is no guarantee that its developers will decrypt your files once you have paid. For more details on this ransomware, we invite you to read this whole article.

Since Phobos Ransomware has been released only recently, there is little to no information on how it is disseminated. Our theory is that this ransomware’s developers have set up an email server dedicated to spamming peoples’ email inboxes with fake emails that can look like invoices, receipts, business correspondence and so on. They want to trick you into opening the file attached to the email. The file can be made to look like a document of some sort which is usually a PDF document. However, it can be an executable which will be dropped in %TEMP% folder but will remain there until you delete it.

We do not know what kind of encryption algorithm Phobos Ransomware uses, but it is quite likely that it was configured to use the AES, RSA or a combination of both of these encryption methods to encrypt your files. This ransomware should target and encrypt your documents, videos, audios, pictures, and so on. It was configured to append all encrypted file with an "ID.email.PHOBOS" extension.

Phobos Ransomware should generate unique encryption and decryption keys. The decryption is most likely sent to a remote server and stored until you pay the ransom. In order to decrypt your files, you have to follow the instructions found in a ransom note named “Phobos.hta” that is dropped on your PC. You are required to send an email to OttoZimmerman@protonmail.ch. The note also says that the “topic” of the message should be “Encryption ID:{8-character code}” which is probably used to identify each unique victim to assign the appropriate decryption key and identify the payment. However, the note says nothing about how much you have to pay and how to pay. Nevertheless, the note says that the ransom will increase if you waste time. Again, we do not recommend that you pay the ransom because its creators might not keep their word and send you the decryption key.

In closing, Phobos Ransomware is a highly malicious program designed to encrypt your files to gain leverage over you and demand that you pay money to decrypt them. However, we urge you not to pay because the cybercriminals might not keep their word and send you the decryptor/decryption key. Therefore, we recommend that you use the removal guide below which includes using SpyHunter’s free malware scanner to detect Phobos Ransomware and go to its location and delete it manually.

Removal Guide

1. Go to http://www.411-spyware.com/download-sph
2. Download SpyHunter-Installer.exe and install it.
3. Launch it and select Scan Computer Now!
4. Then, hold down Windows+E keys.
5. Enter the file path of the malicious files in the File Explorer’s address box and press Enter.
6. Right-click the malicious file(s) and click Delete.
7. Right-click the Recycle Bin and click Empty the Recycle Bin.