Juan 0 Posted April 4, 2019 Share Posted April 4, 2019 Hi team one of my server was infected with ramsomware wallyredd@aol.com extension phoenix. Do you know the best tool or the way to delete and decrypt the files. The version is ESET remote administration version 6.5 Thanks. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted April 4, 2019 Administrators Share Posted April 4, 2019 Please attach the ransomware note here. Link to comment Share on other sites More sharing options...
Juan 0 Posted April 7, 2019 Author Share Posted April 7, 2019 Phoenix Ransomware Description When the Phoenix Ransomware was first mentioned amongst security researchers, the Trojan was still in development. Researchers found the threat while digging in reports submitted to the Google's VirusTotal platform and going on the Dark Web. Samples recovered from reports provided threat investigators with the executable to analyze, and they reveal interesting facts. The Phoenix Ransomware appears to be in development at the time of writing this. However, the Phoenix Ransomware is compact in size and can be deployed with spam emails as a file with a double extension, which may pass as a simple invoice easily. https://www.enigmasoftware.com/phoenixransomware-removal/ https://www.pcrisk.com/removal-guides/10829-phoenix-ransomware File infected.rar Link to comment Share on other sites More sharing options...
Juan 0 Posted April 9, 2019 Author Share Posted April 9, 2019 Hi team, Do you have any answer? Thanks. Link to comment Share on other sites More sharing options...
itman 1,630 Posted April 9, 2019 Share Posted April 9, 2019 If the pcrisk.com article you previously linked is correct and Phoenix ransomware is a Hidden Tear variant, did you try the Avast decrypter mentioned in the article? Also bleepingcomputer.com has a decrypter for Hidden Tear ransomware variants: https://www.bleepingcomputer.com/download/hidden-tear-decrypter/ Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted April 9, 2019 Administrators Share Posted April 9, 2019 21 minutes ago, Juan said: Do you have any answer? Unfortunately, you attached encrypted files, not the ransomware note that I asked for. Link to comment Share on other sites More sharing options...
itman 1,630 Posted April 9, 2019 Share Posted April 9, 2019 I would also take anything posted at pcrisk.com "with a grain of salt." Here they state your ransomware strain is Phobos: https://www.pcrisk.com/removal-guides/14258-phobos-ransomware Link to comment Share on other sites More sharing options...
itman 1,630 Posted April 9, 2019 Share Posted April 9, 2019 (edited) Based on this: https://twitter.com/demonslay335/status/1114195895837503490 , I would say we are looking at Phobos ransomware. There is no decrypter available for Phobos. Phobos usually asks for 6000 bitcoin payment in the ransomware note. Edited April 9, 2019 by itman Link to comment Share on other sites More sharing options...
Juan 0 Posted April 15, 2019 Author Share Posted April 15, 2019 Hi team, thanks for the help, we managed to get a backup and installed everything new. Link to comment Share on other sites More sharing options...
Recommended Posts