Phobos Ransomware Recovery

Has Phobos Ransomware encrypted your data? If yes, then it is a company-wide dilemma. Learn more about the Phobos ransomware, its decryption, recovery, removal and statistics. Or, you can contact our awesome 24/7 cybersecurity ransomware data recovery experts and get a FREE assessment of the damages.

It doesn’t matter what your organization dedicates itself to, or where you are physically located. We handle all operations remotely and help you in recovering your precious data.

Phobos Ransomware Recovery

How do I know if Phobos Ransomware has infected my system?

When you are unable to access your data, and get notice that your files have been hacked and you have to pay a ransom to decrypt them, it may mean you’re infected with Phobos Ransomware.

First observed back in October 2017, Phobos Ransomware is a strain of new ransomware virus that closely relates itself to the Dharma Ransomware. It uses AES 256-bit encryption standard, making it virtually impossible to recover your files with a free decryptor tool.

  • How do you know if Phobos Ransomware has encrypted your data?
  • PHOBOS Ransomware creates and leaves a text file Your Files are Encrypted.Txt on your Desktop, and/or Documents.
  • Your File extensions change to “.PHOBOS” along with the hacker’s email address.
  • You suddenly notice no desktop wallpaper.
  • Your CPU is utilized to 100%, despite using no applications.
  • Your Desktop PC or laptop gets sluggish or extremely slow.
  • The hard disk continues data processing in the background, even though no applications are in use.
  • You are unable to use your antivirus software or find it deactivated.

What should I do when my data has been encrypted by Phobos?

  • Disconnect your system from the network immediately. For more details, please visit the Ransomware Information site.
  • Do NOT try to talk or negotiate with the hackers.
  • Report the crime to your local Cyber Crimes Department.
  • Be aware. If left on its own, Phobos continues encrypting your data in the background.
  • Talk to the experts. Get HELP now!

BeforeCrypt is a licensed and registered Cyber Security company and we’re here to help you in data recovery process. We understand your pain and frustration Thanks to our experience and knowledge, we can recover 100% of your encrypted data in the vast majority of most cases.

Phobos uses AES-256 military grade encryption technology to hold your corporation hostage. Any attempts towards recovering the data with a quick fix will likely be in vain. Let experts like BeforeCrypt handle the matter for you.

Keep calm! Contact us, and we can help you!

Ransomware Recovery Ransomware Decryption


The groups that operate Phobos ransomware have been targeting large organizations. As such the ransom amounts have been very high.

The average Phobos ransom amount is somewhere between $5,000–$25,000. In addition, approximately 10% of Bitcoin exchange fees will apply to the use of quick-buy methods such as PayPal or credit card.

  • Dharma Ransomware average ransom in USD $

The Phobos ransomware downtime is a bit longer than normal ransomware attacks. The manual process of email-based communication with the attackers can add a considerable delay in the response time.

Depending on your company size and how often you use IT-systems in your daily business, this is the most expensive part of this incident. Additional to the unavailability of your IT-systems, this is damaging your company reputation.

Your goal should be to get your systems back to a productive state as soon as possible. The best way to do this is to call in experts, which have a vast knowledge of Phobos ransomware and get the IT-systems back up running.

  • Phobos
  • All Ransomware

There is a high chance to get a working Phobos decryptor after paying the attackers. But there’s never a guarantee to get a working decryption key at all.

Some attackers have a good reputation for providing working Phobos decryptors. Others are known as scammers and will never provide a decryption tool.

Unfortunately, hackers will receive the ransom payment and get away with it, leaving the victim in cold waters.

  • Paid Decryption Successful
  • Paid Decryption Failed

The most common attack vector for Phobos ransomware is an unsecured RDP-Connection (Remote Desktop Protocol) followed up by phishing emails and security vulnerabilities.

  • Remote Desktop (RDP)
  • Phishing Emails
  • Security vulnerabilities
NamePhobos Virus / Phobos Ransomware
Danger levelVery High. Advanced Ransomware which makes system changes and encrypts files
Release date2019
OS affectedWindows
Appended file extensions.acute, .actin, .Acton, .actor, .Acuff, .Acuna, .acute, .adage, .Adair, .Adame, .banhu, .banjo, .Banks, .Banta, .Barak, .Caleb, .Cales, .Caley, .calix, .Calle, .Calum, .Calvo, .deuce, .Dever, .deal, .devil, .Devoe, .Devon, .Devos, .dewar, .eight, .eject, .eking, .Elbie, .elbow, .elder, .phobos, .help, .blend, .bqux, .com, .mamba, .KARLOS, .DDoS, .phoenix, .PLUT, .karma, .bbc, .CAPITAL
Ransom note"Phobos.hta" or "info.txt"
Contact email address[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Known scammers1. [email protected]


Phobos Ransomware Note #1: .hta Notice

This is an average Phobos ransomware note.

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
Write this ID in the title of your message 000QQQ
If there is no response from our mail, you can install the Jabber client and write to us in support of [email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. 

Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. 
Also you can find other places to buy Bitcoins and beginners guide here:

Phobos Ransomware Note #2: Text file

!!! All your data is encrypted !!!
To decrypt them send email to this address: [email protected]
If there is no response from our mail, you can install the Jabber client and write to us in support of [email protected]

Almost always, there is a * .txt file in every folder that has been encrypted. The text file usually has the name “info.txt” and contains all the necessary information to contact the Phobos Ransomware attackers to get your data back. It’s usually safe to open this file, just be sure the full file extension is *.txt.

Phobos Ransomware Note #3: No Ransom Note At All


Sometimes the attackers leave the encrypted files without any Phobos ransomware notes. The file name contains a generic and customized ID number and the attackers’ email. This Phobos ID number is always individual, and sometimes there are additional IDs if more than one system got encrypted by Phobos ransomware. The appended file extensions depend on the Phobos ransomware variant.

The most common ones are .acute, .actin, .Acton, .actor, .Acuff, .Acuna, .acute, .adage, .Adair, .Adame, .banhu, .banjo, .Banks, .Banta, .Barak, .Caleb, .Cales, .Caley, .calix, .Calle, .Calum, .Calvo, .deuce, .Dever, .devil, .Devoe, .Devon, .Devos, .dewar, .eight, .eject, .eking, .Elbie, .elbow, .elder, .phobos, .help, .blend, .bqux, .com, .mamba, .KARLOS, .DDoS, .phoenix, .PLUT, .karma, .bbc, .CAPITAL

“file.[ext].id[0000QQQQ-0000].[[email protected]].acute”


Yes, we can help you to decrypt Phobos ransomware variants. Depending on the variant and version of Phobos ransomware, it could be possible that there is a Phobos decryptor or a recovery option available. Please fill out the Ransomware Data Recovery form, if you need help from ransomware experts in this emergency situation.  You can also use free websites to check for a public available Phobos decryptor method, too. If you want to learn more about Phobos ransomware itself, please visit the Phobos ransomware variant page.

Depending on the Phobos variant, there are different types of decryptors. Phobos ransomware is based on a 2-way decryption process. You will receive a decryptor executable, mostly called “decryptor.exe”, which first is used to scan the entire computer, network drives, external HDDs and other removable devices. After this scan has finished, you get a “Request code”, this contains the public key request, and it is completely individual for each victim.

This “Request code” is sent over to the attackers, who then generate your decryption keys. The keys generated are unique for each person. A decryption key which you get from another victim, who has already received a Phobos decryption key, will not work for you.

Phobos ransomware creates multiple Windows registry entries, creates hidden executable files and sometimes opens a backdoor in firewalls for further access. There are multiple steps necessary, including the cleaning up of the Windows registry, scanning for malware and the manual cleanup of the Phobos ransomware. Depending on the system environment, it is sometimes safer and faster to reinstall the operating system.

The most common attack vector for Phobos ransomware is an unsecured RDP-Connection (Remote Desktop Protocol). It is followed up by phishing emails and security vulnerabilities.

Phobos ransomware encrypts files with an AES-265 bit algorithm. Some variants from Phobos malware are using a combination of AES-265 and RSA-1024 symmetric encryption.

  1. We can reduce your downtime from ransomware significantly. We deal with over a hundred cases every year. We know what to do to keep the downtime for your company to an absolute minimum. You can benefit from our expert knowledge and don’t need to do time-intensive researches by yourself. Most of our cases are completely resolved within 24-72 hours after we begin the recovery process.

  2. Don’t deal with criminals directly. Most companies don’t feel comfortable dealing with cyber-criminals. It can add a layer of stress and risk in this emergency. We handle all communication with the criminals for you according to all applicable laws and regulations to restore your data as fast as possible.

  3. Instant Ransomware Payment. We don’t recommend that you pay the ransom. But sometimes there’s no other way if backups and normal recovery methods fail. If you try to buy Bitcoins yourself, an intensive know-your-customer process is usually required, which takes 2-6 days for large amounts. To save you this trouble, we always have Bitcoins in stock and can make payments instantly.

  4. We don’t damage your data. We always use industry best practices to back-up your encrypted data, remove the Ransomware trojan and then restore your data with normal recovery methods or decrypt the data with the official software. This standardized process ensures that your data won’t get damaged and that the ransomware no longer spreads on your network.

  5. Easy Insurance Reporting: You receive a detailed report and a sample letter to easily submit all necessary information to your cyber-insurance. Cyber-insurance usually covers a huge part of the costs involved with ransomware incidents.
  1. Backup, Backup, Backup! Use a separate backup destination like a secure cloud storage provider or a local backup medium which is physically disconnected after a successful backup run.
  2. Install a Next-Gen Antivirus. Next generation anti-virus software combines a classic signature-based antivirus with powerful exploit protection, ransomware protection and endpoint detection and response (EDR).
  3. Install a Next-Gen Firewall. A Next-Gen-Firewall is also called Unified threat management (UTM) firewall. It adds a layer of security at every entry and exit point of your company data communication. It combines classic network security with intrusion detection, intrusion prevention, gateway antivirus, email filtering and many other features.

Load More

Need fast help with Phobos ransomware recovery? Contact us now and get instant help from ransomware experts

Ransomware Recovery Data