Do you know what PhobosImposter Ransomware is?
PhobosImposter Ransomware is, as you can tell by looking at the name, an imposter infection. It tries to impersonate Phobos Ransomware, a well-known infection that, today, has many different variants. The imposter, however, is a variant of a different infection, ABCD Ransomware. Unfortunately, if it invades an operating system and encrypts the files within, it can attach the “.phobos” extension, and that might confuse some Windows users. It is worth mentioning that the real infection adds the “.id[{unique ID}].[{unique email address}].PHOBOS” extension to the files it corrupts. All in all, regardless of the infection you are dealing with, your files are at risk, and you want to delete them right away. If you do not remove PhobosImposter Ransomware quickly, your personal files are encrypted, and you might be unable to restore them. That, however, does not mean that you should listen to cybercriminals.
According to our malware researchers, PhobosImposter Ransomware is likely to invade unprotected and vulnerable Windows operating systems using fake game/software cracks, spam emails, and RDP backdoors. To be fair, cybercriminals usually exploit every opportunity they get to distribute malware, and so even if you do not face ransomware right away, a bunch of different threats could slither in using the unguarded vulnerabilities. Once in, PhobosImposter Ransomware encrypts everything except for executables and system files. Once a file is encrypted with a unique encryption key, it cannot be read by any program, and decrypting it manually is not an option either. Next to the encrypted files, a file named “Restore-My-Files.txt” should be dropped. Can you open it safely? It is a normal text file, and you will not execute malware components by opening it, but we do recommend deleting it afterward.PhobosImposter Ransomware screenshot
Scroll down for full removal instructions
The text file dropped by PhobosImposter Ransomware represents a message. According to it, a message has to be sent to phomen@cock.li and phomen@airmail.cc by those who want to have the encrypted files restored. The message also informs that a ransom paid in Bitcoins is expected, but the exact sum is not disclosed. In fact, it is stated that the size of the ransom depends on how fast the victim contacts the attackers. Although the message includes the “Fee decryption as guarantee” statement, there are actually no guarantees that a decryptor exists or that you would obtain it if you paid the ransom. There is a link at the bottom of the message routing to a forum where, allegedly, victims share their successful ransom payment stories, but we would not trust this kind of information. Cyberattackers themselves could post such stories. Also, PhobosImposter Ransomware is NOT Phobos Ransomware.
We cannot guarantee that you will be able to delete PhobosImposter Ransomware manually because we do not know the exact location of this infection’s launcher on your computer. Where this file might be depends on how the infection got in, how you interacted with it, and also the settings of your system. Quite possibly, the file has landed where all of your downloaded files go, in which case, you might be able to find and remove PhobosImposter Ransomware yourself. If you cannot handle the problem yourself, you should install an anti-malware program that could identify and erase malicious threats automatically. We strongly recommend installing such a program even if you can delete the infection manually because you need anti-malware protection if you want to evade new threats in the future.
Remove PhobosImposter Ransomware
- Delete all recently downloaded files.
- Delete the ransom note file named Restore-My-Files.txt.
- Empty Recycle Bin.
- Install a trusted malware scanner and use it to perform a full system scan.
In non-techie terms:
PhobosImposter Ransomware is an infection that tries to introduce itself as Phobos Ransomware. This might confuse victims and make them take the wrong actions. If this malware has slithered into your operating system, all you can do is delete PhobosImposter Ransomware. At the time of research, decrypting files was not possible, and the services promised by the attackers were unreliable. Hopefully, you can replace the corrupted files using backups stored outside the infected machine. In that case, you want to perform the removal first, and then you want to replace the corrupted files. Do NOT connect to your backups while the ransomware is still active. To delete the infection, you can try to do it yourself, but we recommend installing anti-malware software. It will eliminate threats automatically, and it will also protect you against the attacks of other threats.