Phobos Ransomware Recovery

Although decryption tools exist for some older variants, most newer Phobos ransomware strains have no freely available decryption tools. You can check for free, publicly available decryption tools here. 

In most cases, the only way to obtain a working Phobos ransomware decrypt tool is through negotiation with the attackers. Depending on the history of the gang that is behind the hack, it may be possible to get a functional decryption tool by paying the demands of the attackers. Believe it or not, some gangs actually try to maintain a reputation, and are consistent in delivering decryption tools when payed. Other hackers can be less reliable, however. Some will demand a second or even third payment after being paid the first time. In some cases, they don’t provide any decryption tool at all or provide a faulty decryption tool. 

We actively research the active ransomware gangs in order to understand how they operate, the risks of dealing with them, and the probability of success. Knowing the history of a gang can help to negotiate with them more effectively. Using this methodology, we have succeeded in negotiating down ransom demands by as much as 30%. 

If you want to learn more about Phobos ransomware itself, please visit the Phobos ransomware variant page. To consult with our team of experts to better understand your options, fill out the Ransomware Data Recovery form. If the situation is urgent, you can also contact us by phone on our emergency line any time. 

Depending on the Phobos variant, there are different Phobos decryptor types. Phobos ransomware is based on a 2-way decryption process. You will receive a decryptor executable, most often called “decryptor.exe”, which scans the computer, network drives, external HDDs and other removable devices. After this scan has finished, you get a “request code.” This contains a public key request, which is unique for each individual user.

The decryptor sends the request code to the attackers, who then generate your decryption keys. The tool then decrypts the files using the keys. This is more or less the same process used for private chat messages; if you’ve ever used WhatsApp, you’ve used decryption keys before. When decryption takes place, it converts all of the data in your files to a different form according to a complex pattern. The decryption key contains the formula that was used to modify your files. The Phobos decryptor tool then uses this formula (ie. the key) to revert the files back to their original form.

A decryption key  from someone who has already received a Phobos decryption key will not work for you. Each ransomware attack uses a different algorithm. 

Phobos ransomware creates multiple Windows registry entries, creates hidden executable files and sometimes opens a backdoor in firewalls for further access. There are multiple steps necessary, including the cleaning up of the Windows registry, scanning for malware and the manual cleanup of the Phobos ransomware. Depending on the system environment, it is sometimes safer and faster to reinstall the operating system.

The most common attack vector for Phobos ransomware is an unsecured RDP-Connection (Remote Desktop Protocol). It is followed up by phishing emails and security vulnerabilities.

Just by following basic cyber hygiene principles such as not opening emails and attachments from unknown people, and not downloading any program from torrents, can save you a whole lot of time, trouble and effort.

Phobos ransomware encrypts files with an AES-265 bit algorithm. Some variants from Phobos malware are using a combination of AES-265 and RSA-1024 symmetric encryption.

Independent reports have observed that while executing the file, it does not bypass UAC rights and Windows asks for permission to open up the executable file.

1. Professional ransomware response can significantly decrease downtime. We deal with hundreds of cases every year. Through our years of experience, we have developed a streamlined process that brings our clients back online as fast as possible. In the event that a ransom has to be paid, purchasing the necessary cryptocurrency can take days. The process of resolving a ransomware attack without prior experience can take many hours of research. Most of our cases are completely resolved 24-72 hours after we begin the recovery process.
   
   
2. Avoid dealing with criminals and ensure legal compliance. Most companies don’t feel comfortable dealing with cyber-criminals. It can add another layer of stress in emergency. We maintain files on different groups of hackers in order to maximize security and effectiveness of negotiations. We also ensure that all communications and transfers comply with applicable laws and regulations to protect our clients against potential legal problems. 
   
   
3. Instant cryptocurrency transfers. It is always better to avoid giving into the attacker’s demands. If backups and normal recovery methods fail, however, there may be no other choice. Most ransomware attackers demand payment in Bitcoin. If you try to purchase Bitcoin yourself, an intensive know-your-customer process is usually required, which can take 2-6 days for large amounts. We maintain a reserve of the currencies demanded by attackers to make instant payments if needed.
   
   
4. Ensure data integrity and security. As specialists in the field of ransomware incident response, we are always refining industry best practices for data recovery. We have robust, standardized procedures for backing up encrypted data, restoring data, and removing viruses to ensure that there is no data loss or damage.
   
   
5. Easy Insurance Reporting: All of our clients receive a detailed incident report with all information required by cyber-insurance and for law enforcement purposes. Thankfully, cyber-insurance often covers the cost of cyber-extortion as well as professional ransomware response services. Completing all paperwork correctly from the beginning can speed up the process of filing a claim and recovering lost funds.

1. Backup, Backup, Backup! In most cases, a fresh and secure backup of data can prevent ransomware attack from succeeding. For this reason, many attackers put in a lot of effort to find and encrypt backups. The best backup will be air-gapped, meaning physically disconnected from your main network. It is also important to have a regular backup schedule with robust security procedures. 
   
   
2. Install a Next-Gen Antivirus. Next generation anti-virus software combines a classic signature-based antivirus with powerful exploit protection, ransomware protection and endpoint detection and response (EDR). Mcafee, Fireeye, and Sentinel One are all examples of antivirus software with these features. 
   
   
3. Install a Next-Gen Firewall. A Next-Gen-Firewall is also called Unified threat management (UTM) firewall. It adds a layer of security at every entry and exit point of your company data communication. It combines classic network security with intrusion detection, intrusion prevention, gateway antivirus, email filtering and many other features. 

If you can afford it, having staff or hiring a dedicated service to monitor network traffic can also help to detect unusual activity and prevent ransomware attacks. Ransomware attackers usually do a lot of surveillance on a network before attempting a hack. This “reconnaissance” phase has certain tell-tale signs. If you can catch these early, it’s possible to detect the attacker early and deny them access to the network. 

If you get hit by ransomware, a professional ransomware response service can help to identify and patch security gaps.