Depending on the Phobos variant, there are different Phobos decryptor types. Phobos ransomware is based on a 2-way decryption process. You will receive a decryptor executable, most often called “decryptor.exe”, which scans the computer, network drives, external HDDs and other removable devices. After this scan has finished, you get a “request code.” This contains a public key request, which is unique for each individual user.

The decryptor sends the request code to the attackers, who then generate your decryption keys. The tool then decrypts the files using the keys. This is more or less the same process used for private chat messages; if you’ve ever used WhatsApp, you’ve used decryption keys before. When decryption takes place, it converts all of the data in your files to a different form according to a complex pattern. The decryption key contains the formula that was used to modify your files. The Phobos decryptor tool then uses this formula (ie. the key) to revert the files back to their original form.

A decryption key  from someone who has already received a Phobos decryption key will not work for you. Each ransomware attack uses a different algorithm. 

Leave a Reply