PhobosImposter is a ransomware that runs on Microsoft Windows. It was discovered by MalwareHunterTeam. It impersonates the Phobos ransomware. It is part of the LockerGoga family. It is aimed at English-speaking users.
PhobosImposter is distributed through trojans, spam campaigns, untrustworthy download channels, fake software updaters and "cracking" tools. Trojans are a type of malware, designed to download/install additional malicious software.
During the encryption process all files are retitled with the ".phobos" extension. Therefore, a file named something like "1.jpg" would appear as "1.jpg.phobos", and so forth for all the compromised files. After this process is complete, PhobosImposter creates a text file - "Restore-My-Files.txt and drops it into every affected folder.
The text file contains the ransom message. It states that all of the victim's data has been encrypted and to restore it, they need to pay a ransom. There are email addresses provided for contacting the PhobosImposter's developers. Victims must send the same letter to both addresses, also they must write their ID number (listed in "Restore-My-Files.txt") in the title/subject of the emails. The size of the ransom is not stated; victims are told that it will depend on how quickly they contact the cyber criminals. The payment for the decryption tools/software is to be made in Bitcoin cryptocurrency. Instructions on how to procure Bitcoins are given in the note. To prove their ability to restore the encrypted data, the criminals offer to decrypt up to two files free of charge. The total size of the files can be no larger than 1Mb (non-archived) and they must not contain any valuable information, such as databases, backups, large excel sheets and similar. The message warns users not to rename the encrypted files and not to attempt to decrypt them, using third party software - as that will result in permanent data loss.
Text presented in PhobosImposter ransomware's text file ("Restore-My-Files.txt"):
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC.If you want to restore them, write us to the e-mail: email@example.com be sure to duplicate your message on e-mail: firstname.lastname@example.org Write this ID in the title of your message - You have to pay for decryption in Bitcoins.The price depends on how fast you write to us.After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 2 files for free decryption.The total size of files must be less than 1Mb(non archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site.You have to register, click 'Buy bitcoins', and select the seller by payment method and price. hxxps://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here : hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price(they add their fee to our) or you can become a victim of a scam. Reviews receiving the decoder after payment ************ Phobos Ransomware Payment ************