Phobos Ransomware (<ID>-<id***8 random>.[<email>].phobos) Support

Any files that are encrypted with Phobos Ransomware will have an <ID>-<victim id*** random 8 hex char>.[<email>] or <id>-<victim id*** random 8 hex char-4 numbers>.[<email>] followed by one of its many different extensions appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov). The victim id (8 random hex characters) is the victim's Windows volume serial number and the four numbers afterwards is the Phobos build ID. These are a few examples.

.ID-3EA0B923.[job2019@tutanota.com].phobos
.ID-2CA6D4CB.[prejimzalma1972@aol.com].phoenix
.id[F6593DDC-2275].[raynorzlol@tutanota.com].Adame
.id[4E462CCA-3412].[helprecover@foxmail.com].help
.id[06FB70EE-2542].[wmanxtere@privatemail.com].google
.id[E4827465-4422].[silverhand@onionmail.org].Elbie

Phobos Ransomware extensions include .phobos, .Frendi, .phoenix, .mamba, .KARLOS, .ACTIN, .ACTOR, .com, .adage, .WALLET, .1500dollars, .acute, .Adame, .help, .banjo, .Acton, .Banta, .zax, .HORSELIKER, .BORISHORSE, .BANKS, .PLUT, .WannaCry, .Caleb, .elder, .deal, .Adair, .Acuna, .Barak, .octopus, .calix, .deuce, .angus, .Calum, .Caley, .Dever, .DDoS, .elbow, .karma, .bablo, .DEWAR, .Devos, .devil, .revon, .eight, .Devon, .eking, .chinz, .isos, .Acuff, .ELDAOLSA, .google, .Antivirus, .DLL, .LOWPRICE, .eject, .HORSEMONEY, .WIN, .PERDAK, .XIII, .Drik, .pHv1, .Elbie, .ZOZL, .MURK, .DIKE .decrypt, .Banta, .grt, .LIZARD, .duck, .faust, .magic, .worry, .SHTORM, .SDK, .2QZ3, .kmrox, .top, .s4b, .6y8dghklp, .deep, .luck, .deepindeep, .VXUG, .LEAKDB, .GrafGrafel, .elpy, .HuiVJope, .2700, .mango, .jopanaxye, .gotmydatafast, .rdptest, .ebaka
 
Phobos typically will leave files (ransom notes) named Phobos.hta, Encrypted.txt, Data.hta, info.hta and info.txt. 

Be aware of below scammers.

 

1- Email: helpransomfiles@gmail.com / providenciagerente@gmail.com - Telegram: @Helpransomware - YouTube: @HelpRansomware - Mobile: +1 515 506 8522

2- Email: help.encryptorr@gmail.com - Telegram: @Encryptor_man

3- Telegram: @Amir79ce (working with above item 1)

4- Telegram: @rudecryp (working with above item 1)

5- Telegram: @phobos_supports

6- Telegram: @File001

7- Telegram: @datadecrypt

8- Email: decrypt2023@cyberfear.com / decrypt2023@cock.li - Telegram: @decrypt2023

9- Email: rsaransom@tuta.io - Telegram: @RSARansom - YouTube: @rsaransom and @rsaransomdecryptor6752

10- Telegram: @decryptyourdata

11- Telegram: @Decryptorr

12- Email: helpermail@onionmail.org

13- Email: admencrypt@gmail.com; admdecrypt@gmail.com - Telegram: Pcrisk

14- Email: targetchamin@gmail.com

15- Telegram: Phobos_support

16- Telegram: RansomwareRescue

 

NOTE: PhobosImposter is a variant of ABCD (LockBit) which appends .phobos extension and leaves files (ransom notes) named Restore-My-Files.txt...see PhobosImposter Ransomware.
 
 
 
Hi everybody, I've been affected by a ransomware that has the extension .phobos but ID ransomware is unable to determine what ransomware it is. ID ransomware gives me this SHA1: 009d37c802481f54de74c44bfa7dca046daade8b
 
There is not any ransom note either. 
 
This is the text of the extension: "ID-3EA0B923.[job2019@tutanota.com].phobos" 
 
I've contacted with that e-mail account and have the next response: 
 
"Hello! The cost of the decryption program at the moment is $ 3000[/size]
For payment you have 6 hours - you need to buy bitcoin and pay for my wallet.
If you do not pay the decryption program within 6 hours - the price will be $ 5000
Buy bitcoin is best on the site https://localbitcoins.com , choose your country - buy Bitcoin
and pay to my wallet: 1CTzR5oW4uQdY3xhHnmisD3M8shh7qcd6e
After you pay, you will receive all the necessary instructions to decrypt your files."
 
Anyone has any idea to uncrypt the files? 
 
Thank you

rauluar

 

It may be Dharma.

Send us a ransom note. Use the service sendspace.com or similar.

Edited by Amigo-A, 20 December 2018 - 12:06 PM.

It's not Dharma, ID Ransomware would have picked up on the filemarker - which it does not have. The end of files does have a different pattern of some sorts though.

 

We would need the malware itself to analyze any further.

Hello @Amigo-A, @Demonslay335, there is not any ransom note, only that e-mail account to contact with. 

 

I have analysed several times but Malwarebytes or Spyhunter can't find anything to help me. 

 

Any idea to detect or identify the ransomware? 

 

Thank you'll

Edited by Amigo-A, 20 December 2018 - 12:45 PM.

Malwarebytes or Spyhunter

 

Malwarebytes failed the latest antivirus tests.

Think about why Spyhunter is not taken for testing.

Edited by Amigo-A, 20 December 2018 - 12:57 PM.

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

These are some common folder variable locations malicious executables and .dlls hide:

• %SystemDrive%\ (C:\)
• %SystemRoot%\ (C:\Windows, %WinDir%\)
• %UserProfile%\
• %UserProfile%\AppData\Roaming\
• %AllUserProfile%\
• %AppData%\
• %AppData%\Local\Temp\
• %LocalAppData%\
• %ProgramData%\
• %Temp%\

Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus to see if it found and removed any malware possibly related to the ransomware.

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

These are some common folder variable locations malicious executables and .dlls hide:

• %SystemDrive%\ (C:\)
• %SystemRoot%\ (C:\Windows, %WinDir%\)
• %UserProfile%\
• %UserProfile%\AppData\Roaming\
• %AllUserProfile%\
• %AppData%\
• %AppData%\Local\Temp\
• %LocalAppData%\
• %ProgramData%\
• %Temp%\

Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus to see if it found and removed any malware possibly related to the ransomware.

 

 

Hello, I didn't find anything that could be a malicious executable. It's strange because it first infects documents on the desktop and then infected a shared network drive, but it stopped in the middle, when I disconnected the PC from the network, so I deduce that the PC is the one that is infected, but there is not any malicious executable. 

 

The files are ".phobos" extension, but the ID ransomware doesn't dettect, That takes away the hope of finding a decrypter. 

 

A cannot find a ransom note either, the email is in the extension of all files, that's all.

 

Any idea?

 

Thank you

Without the malware itself to analyze further, there is not much we can do at this point. Hopefully more information by other victims will be uploaded to IDRansomware.

I've inspected the file structure between this and the older ".PHOBOS" that Amigo-A linked, and everything matches up, along with the filename pattern. I've added detections for this under "Phobos".

 

We still need the malware itself to analyze any further though, no sample has been found for either thus far.

Hi to all

 

A friend of mine was also affected by phobos in December 31.

 

This is the signature in the file: ID-D08133EB.[cadillac.407@aol.com].phobos

 

I was able to see a folder calledc Process Hacker 2 that has some xml files (it is located in %AppData%)

 

Does anyone have any idea to recover the files?

 

Best regards and thanks

Not that I am aware of...we still need a sample of the malware as noted by Demonslay335.

Samples of suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.

Hi

 

Thanks for your anwsers.

 

I've submitted a zip with some crypted files and with a folder called Process Hacker 2 that i've found in %AppData%

 

I can see a file called encrypted.txt with this content:

 

"All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail cadillac.407@aol.com

In case of no answer in 24 hours write us to theese e-mails: Everest_2010@aol.com"

 

****************

 

Thanks for any kind of help that all can give.

 

Best regards

Edited by jfsantos, 02 January 2019 - 12:29 PM.