FANDOM


PhobosImposter is a ransomware that runs on Microsoft Windows. It was discovered by MalwareHunterTeam. It impersonates the Phobos ransomware. It is part of the LockerGoga family. It is aimed at English-speaking users.

Payload

Transmission

PhobosImposter is distributed through trojans, spam campaigns, untrustworthy download channels, fake software updaters and "cracking" tools. Trojans are a type of malware, designed to download/install additional malicious software.

Infection

During the encryption process all files are retitled with the ".phobos" extension. Therefore, a file named something like "1.jpg" would appear as "1.jpg.phobos", and so forth for all the compromised files. After this process is complete, PhobosImposter creates a text file - "Restore-My-Files.txt and drops it into every affected folder.

The text file contains the ransom message. It states that all of the victim's data has been encrypted and to restore it, they need to pay a ransom. There are email addresses provided for contacting the PhobosImposter's developers. Victims must send the same letter to both addresses, also they must write their ID number (listed in "Restore-My-Files.txt") in the title/subject of the emails. The size of the ransom is not stated; victims are told that it will depend on how quickly they contact the cyber criminals. The payment for the decryption tools/software is to be made in Bitcoin cryptocurrency. Instructions on how to procure Bitcoins are given in the note. To prove their ability to restore the encrypted data, the criminals offer to decrypt up to two files free of charge. The total size of the files can be no larger than 1Mb (non-archived) and they must not contain any valuable information, such as databases, backups, large excel sheets and similar. The message warns users not to rename the encrypted files and not to attempt to decrypt them, using third party software - as that will result in permanent data loss.

Text presented in PhobosImposter ransomware's text file ("Restore-My-Files.txt"):

All your files have been encrypted!
All your files have been encrypted due to a security problem with your  PC.If you 
want to restore them, write us to the e-mail: phomen@cock.li
be sure to duplicate your message on e-mail: phomen@airmail.cc
Write this ID in the title of your message -

You have to pay for decryption in Bitcoins.The price depends on how  fast you write 
to us.After payment we will send you the tool that will  decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 2 files for free decryption.The  total size of files 
must be less than 1Mb(non archived), and files  should not contain valuable 
information. (databases, backups, large excel  sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site.You have to  register, click 'Buy 
bitcoins', and select the seller by payment method  and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here :
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause  increased price(they 
add their fee to our) or you can become a victim  of a scam.

Reviews receiving the decoder after payment
************
Phobos Ransomware Payment
************
Community content is available under CC-BY-SA unless otherwise noted.