Recommended Posts

It is recommended to upload a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with.
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply so that one of our experts can review them.

Share this post


Link to post
Share on other sites

I've just been told that this is the Phobos ransomware. There is currently no known way to decrypt files that have been encrypted by this ransomware.

Share this post


Link to post
Share on other sites

@Antonio Felix

Amendment!
Your file you downloaded now has a name:
***marZo.xls.crypted.id[9EF7A78C-1023].[[email protected]].actin

Here the 1st part of .id [9EF7A78C-1023].[[email protected]].actin reports that the file is encrypted with Phobos Ransomware, this can be seen even without special tools.

The 2st part of .crypted reports that before Phobos the file was encrypted by another encryptor.

Thus, your file has been encrypted twice.
The .crypted extension is very common. If you find another note, can be find out which encryptor was the first. This is necessary not for sporting interest or mere curiosity, but in order to exclude all possible ways of penetration into the system and methods of attack of your PC.

Share this post


Link to post
Share on other sites

Not all the files  has been encrypted twice.

Below text received after the attack:

"!!! All of your files are encrypted !!!
To decrypt them send e-mail to this address: [email protected]
If we don't answer in 48h., send e-mail to this address: [email protected]
If there is no response from our mail, you can install the Jabber client and write to us in support of [email protected]"

 

Example of a picture name:

TP GAF GAM manha-1.jpg.id[9EF7A78C-1023].[[email protected]].actin

Please tell me that I can recover the encrypted files somehow...

Share this post


Link to post
Share on other sites

@Antonio Felix

This also text from Phobos Ransomware. You have already been told that for him there is no free decryptor.

Before Phobos, the files were encrypted by another encryptor.

One encryption overlaid another.

Share this post


Link to post
Share on other sites

Need to check your PC and make sure that no Ransomware components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

You can use Emsisoft Anti-Malware Home (30 days for free) to scan your system, disks and be safe until you decide how to protect your PC and information on drives. Just do not remove the Quarantine, let the specialists from Emsisoft see it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.