Phobos Ransomware Recovery

If you get hit by Phobos ransomware, you may have an emergency on your hands. Still, it’s important to stay calm. You can learn more about the Phobos ransomware and how to identify it and remove it on this page. For personalized assistance, you can also contact our team of ransomware data recovery experts 24/7 and for a FREE consultation and immediate assessment of the damages.

We work with clients all over the world, so wherever you are located, we can help.  Our team consists of highly specialized German technicians, and can help you recover your precious data with a quick and painless ransomware removal and remediation process.

Phobos Ransomware Recovery

How do I know if Phobos Ransomware has infected my system?

If you are unable to access your data and receive notice that your files have been encrypted and demanding a ransom to decrypt them, it may mean your system is infected with Phobos ransomware.

Phobos Ransomware is a novel ransomware virus strain that first appeared in 2017. It is closely related to Dharma Ransomware. Phobos uses an AES 256-bit encryption standard, making it almost impossible to recover your files with a free decryptor tool.

  • How do you know if Phobos Ransomware has encrypted your data?
  • PHOBOS Ransomware creates and leaves a text file Your Files are Encrypted.Txt on your Desktop, and/or Documents.
  • Your File extensions change to “.PHOBOS” along with the hacker’s email address.
  • You suddenly notice no desktop wallpaper.
  • Your CPU is utilized to 100%, despite using no applications.
  • Your Desktop PC or laptop gets sluggish or extremely slow.
  • The hard disk continues data processing in the background, even though no applications are in use.
  • You are unable to use your antivirus software or find it deactivated.

What should I do when my data has been encrypted by Phobos?

  • Disconnect from the network immediately. For more details, please visit our Ransomware Response Guide.
  • It is better not to communicate directly with the hackers. Professional ransomware response teams know the legal protocols for communicating with hackers and generally achieve much better results.
  • Report the crime to your local police cyber crime division.
  • If left on its own, Phobos can continue encrypting your data in the background.
  • Talk to the experts. Get HELP now!

BeforeCrypt is a licensed and registered Cyber Security firm specialized in ransomware recovery and mitigation. We’re here to help you with Phobos ransomware removal immediately. It’s natural to feel stressed and frustrated about this situation, but we are here to help and get back to normal as quickly as possible. We can help recover 100% of your data in the vast majority of situations.

Phobos uses AES-256 military grade encryption technology to hold your data hostage. Unfortunately, there are no “quick fixes” for this. However, BeforeCrypt can help minimize the overall costs of recovering from a ransomware attack.

Keep calm! Contact us, and we can help you!

Ransomware Recovery Ransomware Decryption


Groups using Phobos ransomware often target large organizations. As a result, the average ransom amounts for Phobos is quite high.

Demands often fall in the range of $5,000–$25,000.

Victims are faced with unexpected costs when buying and transferring cryptocurrencies, usually additional acquisition costs of 10% are incurred here for quick purchase options via PayPal and/or credit cards.

The Phobos ransomware downtime is a bit longer than normal ransomware attacks. The manual process of email-based communication with the attackers can add a considerable delay in the response time.

Depending on your company size and how often you use IT-systems in your daily business, this is the most expensive part of this incident. Additional to the unavailability of your IT-systems, this is damaging your company reputation.

Your goal should be to get your systems back to a productive state as soon as possible. The best way to do this is to call in experts, which have a vast knowledge of Phobos ransomware and get the IT-systems back up running.

There is a high chance to get a working Phobos decryptor after paying the attackers. But there’s never a guarantee to get a working decryption key at all.

Some attackers have a good reputation for providing working Phobos decryptors. Others are known as scammers and will never provide a decryption tool.

Unfortunately, hackers will receive the ransom payment and get away with it, leaving the victim in cold waters.

The most common attack vector for Phobos ransomware is an unsecured RDP-Connection (Remote Desktop Protocol) followed up by phishing emails and security vulnerabilities.

NamePhobos Virus / Phobos Ransomware
Danger levelVery High. Advanced Ransomware which makes system changes and encrypts files
Release date2019
OS affectedWindows
Appended file extensions.acute, .actin, .Acton, .actor, .Acuff, .Acuna, .acute, .adage, .Adair, .Adame, .banhu, .banjo, .Banks, .Banta, .Barak, .Caleb, .Cales, .Caley, .calix, .Calle, .Calum, .Calvo, .deuce, .Dever, .deal, .devil, .Devoe, .Devon, .Devos, .dewar, .eight, .eject, .eking, .Elbie, .elbow, .elder, .phobos, .help, .blend, .bqux, .com, .mamba, .KARLOS, .DDoS, .phoenix, .PLUT, .karma, .bbc, .CAPITAL
Ransom note"Phobos.hta" or "info.txt"
Contact email address[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], charles[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], mencryp[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected],, [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], bitl[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Known scammers1. [email protected]

2.Telegram @coderunlocker

[email protected]
Phobos ID ending in "-3149"


Phobos Ransomware Note #1: .hta Notice

This is an average Phobos ransomware note.

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
Write this ID in the title of your message 000QQQ
If there is no response from our mail, you can install the Jabber client and write to us in support of [email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. 

Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. 
Also you can find other places to buy Bitcoins and beginners guide here:

Phobos Ransomware Note #2: Text file

!!! All your data is encrypted !!!
To decrypt them send email to this address: [email protected]
If there is no response from our mail, you can install the Jabber client and write to us in support of [email protected]

Almost always, there is a * .txt file in every folder that has been encrypted. The text file usually has the name “info.txt” and contains all the necessary information to contact the Phobos Ransomware attackers to try and get your data back. It’s usually safe to open this file, just be sure the full file extension is *.txt. The danger is not in the file itself, the risk involved is the human and emotional factor that can be exploited by attackers holding you hostage in order to further exacerbate the situation, through double or triple payment scams, the attackers sensing your inexperience in this type of situation and placing more obstacles and difficulty at every step of the process. Having experts handle the situation from beginning to end is the most logical approach to any hostage situation.

Phobos Ransomware Note #3: No Ransom Note At All


Sometimes the attackers leave the encrypted files without any Phobos ransomware notes. The file name contains a generic and customized ID number and the attackers’ email. This Phobos ID number is always individual, and sometimes there are additional IDs if more than one system got encrypted by Phobos ransomware. The appended file extensions depend on the Phobos ransomware variant.

The most common ones are .acute, .actin, .Acton, .actor, .Acuff, .Acuna, .acute, .adage, .Adair, .Adame, .banhu, .banjo, .Banks, .Banta, .Barak, .Caleb, .Cales, .Caley, .calix, .Calle, .Calum, .Calvo, .deuce, .Dever, .devil, .Devoe, .Devon, .Devos, .dewar, .eight, .eject, .eking, .Elbie, .elbow, .elder, .phobos, .help, .blend, .bqux, .com, .mamba, .KARLOS, .DDoS, .phoenix, .PLUT, .karma, .bbc, .CAPITAL



By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

This is a demonstration of Phobos Ransomware Decryptor. Copyright by BeforeCrypt


Although decryption tools exist for some older variants, most newer Phobos ransomware strains have no freely available decryption tools. You can check for free, publicly available decryption tools here

In most cases, the only way to obtain a working Phobos ransomware decrypt tool is through negotiation with the attackers. Depending on the history of the gang that is behind the hack, it may be possible to get a functional decryption tool by paying the demands of the attackers. Believe it or not, some gangs actually try to maintain a reputation, and are consistent in delivering decryption tools when payed. Other hackers can be less reliable, however. Some will demand a second or even third payment after being paid the first time. In some cases, they don’t provide any decryption tool at all or provide a faulty decryption tool. 

We actively research the active ransomware gangs in order to understand how they operate, the risks of dealing with them, and the probability of success. Knowing the history of a gang can help to negotiate with them more effectively. Using this methodology, we have succeeded in negotiating down ransom demands by as much as 30%. 

If you want to learn more about Phobos ransomware itself, please visit the Phobos ransomware variant page. To consult with our team of experts to better understand your options, fill out the Ransomware Data Recovery form. If the situation is urgent, you can also contact us by phone on our emergency line any time. 

Depending on the Phobos variant, there are different Phobos decryptor types. Phobos ransomware is based on a 2-way decryption process. You will receive a decryptor executable, most often called “decryptor.exe”, which scans the computer, network drives, external HDDs and other removable devices. After this scan has finished, you get a “request code.” This contains a public key request, which is unique for each individual user.

The decryptor sends the request code to the attackers, who then generate your decryption keys. The tool then decrypts the files using the keys. This is more or less the same process used for private chat messages; if you’ve ever used WhatsApp, you’ve used decryption keys before. When decryption takes place, it converts all of the data in your files to a different form according to a complex pattern. The decryption key contains the formula that was used to modify your files. The Phobos decryptor tool then uses this formula (ie. the key) to revert the files back to their original form.

A decryption key  from someone who has already received a Phobos decryption key will not work for you. Each ransomware attack uses a different algorithm. 

Phobos ransomware creates multiple Windows registry entries, creates hidden executable files and sometimes opens a backdoor in firewalls for further access. There are multiple steps necessary, including the cleaning up of the Windows registry, scanning for malware and the manual cleanup of the Phobos ransomware. Depending on the system environment, it is sometimes safer and faster to reinstall the operating system.

The most common attack vector for Phobos ransomware is an unsecured RDP-Connection (Remote Desktop Protocol). It is followed up by phishing emails and security vulnerabilities.

Just by following basic cyber hygiene principles such as not opening emails and attachments from unknown people, and not downloading any program from torrents, can save you a whole lot of time, trouble and effort.


Phobos ransomware encrypts files with an AES-265 bit algorithm. Some variants from Phobos malware are using a combination of AES-265 and RSA-1024 symmetric encryption.

Independent reports have observed that while executing the file, it does not bypass UAC rights and Windows asks for permission to open up the executable file.


  1. Professional ransomware response can significantly decrease downtime. We deal with hundreds of cases every year. Through our years of experience, we have developed a streamlined process that brings our clients back online as fast as possible. In the event that a ransom has to be paid, purchasing the necessary cryptocurrency can take days. The process of resolving a ransomware attack without prior experience can take many hours of research. Most of our cases are completely resolved 24-72 hours after we begin the recovery process.

  2. Avoid dealing with criminals and ensure legal compliance. Most companies don’t feel comfortable dealing with cyber-criminals. It can add another layer of stress in emergency. We maintain files on different groups of hackers in order to maximize security and effectiveness of negotiations. We also ensure that all communications and transfers comply with applicable laws and regulations to protect our clients against potential legal problems. 

  3. Cryptocurrency transfers. It is always better to avoid giving into the attacker’s demands. If backups and normal recovery methods fail, however, there may be no other choice. Most ransomware attackers demand payment in Bitcoin. We guide you through the whole process of creating a crypto currency wallet and buying the crypto currency with you. Therefore we have different cooperation partner in order to prepare your wallet and do the transaction as quick and easy as possible for you. 

  4. Ensure data integrity and security. As specialists in the field of ransomware incident response, we are always refining industry best practices for data recovery. We have robust, standardized procedures for backing up encrypted data, restoring data, and removing viruses to ensure that there is no data loss or damage.

  5. Easy Insurance Reporting: All of our clients receive a detailed incident report with all information required by cyber-insurance and for law enforcement purposes. Thankfully, cyber-insurance often covers the cost of cyber-extortion as well as professional ransomware response services. Completing all paperwork correctly from the beginning can speed up the process of filing a claim and recovering lost funds.
  1. Backup, Backup, Backup! In most cases, a fresh and secure backup of data can prevent ransomware attack from succeeding. For this reason, many attackers put in a lot of effort to find and encrypt backups. The best backup will be air-gapped, meaning physically disconnected from your main network. It is also important to have a regular backup schedule with robust security procedures

  2. Install a Next-Gen Antivirus. Next generation anti-virus software combines a classic signature-based antivirus with powerful exploit protection, ransomware protection and endpoint detection and response (EDR). Mcafee, Fireeye, and Sentinel One are all examples of antivirus software with these features. 

  3. Install a Next-Gen Firewall. A Next-Gen-Firewall is also called Unified threat management (UTM) firewall. It adds a layer of security at every entry and exit point of your company data communication. It combines classic network security with intrusion detection, intrusion prevention, gateway antivirus, email filtering and many other features. 

If you can afford it, having staff or hiring a dedicated service to monitor network traffic can also help to detect unusual activity and prevent ransomware attacks. Ransomware attackers usually do a lot of surveillance on a network before attempting a hack. This “reconnaissance” phase has certain tell-tale signs. If you can catch these early, it’s possible to detect the attacker early and deny them access to the network. 

If you get hit by ransomware, a professional ransomware response service can help to identify and patch security gaps. 

In emergencies, we can start with the ransomware data recovery immediately. Since our support team operates 24/7, we can reduce your downtime to a minimum by working non-stop to recover your data.

Need fast help with Phobos ransomware recovery? Contact us now and get instant help from the ransomware response experts

Ransomware Recovery Data