Juan 0 Posted April 4, 2019 Posted April 4, 2019 Hi team one of my server was infected with ramsomware wallyredd@aol.com extension phoenix. Do you know the best tool or the way to delete and decrypt the files. The version is ESET remote administration version 6.5 Thanks.
Administrators Marcos 5,408 Posted April 4, 2019 Administrators Posted April 4, 2019 Please attach the ransomware note here.
Juan 0 Posted April 7, 2019 Author Posted April 7, 2019 Phoenix Ransomware Description When the Phoenix Ransomware was first mentioned amongst security researchers, the Trojan was still in development. Researchers found the threat while digging in reports submitted to the Google's VirusTotal platform and going on the Dark Web. Samples recovered from reports provided threat investigators with the executable to analyze, and they reveal interesting facts. The Phoenix Ransomware appears to be in development at the time of writing this. However, the Phoenix Ransomware is compact in size and can be deployed with spam emails as a file with a double extension, which may pass as a simple invoice easily. https://www.enigmasoftware.com/phoenixransomware-removal/ https://www.pcrisk.com/removal-guides/10829-phoenix-ransomware File infected.rar
itman 1,790 Posted April 9, 2019 Posted April 9, 2019 If the pcrisk.com article you previously linked is correct and Phoenix ransomware is a Hidden Tear variant, did you try the Avast decrypter mentioned in the article? Also bleepingcomputer.com has a decrypter for Hidden Tear ransomware variants: https://www.bleepingcomputer.com/download/hidden-tear-decrypter/
Administrators Marcos 5,408 Posted April 9, 2019 Administrators Posted April 9, 2019 21 minutes ago, Juan said: Do you have any answer? Unfortunately, you attached encrypted files, not the ransomware note that I asked for.
itman 1,790 Posted April 9, 2019 Posted April 9, 2019 I would also take anything posted at pcrisk.com "with a grain of salt." Here they state your ransomware strain is Phobos: https://www.pcrisk.com/removal-guides/14258-phobos-ransomware
itman 1,790 Posted April 9, 2019 Posted April 9, 2019 (edited) Based on this: https://twitter.com/demonslay335/status/1114195895837503490 , I would say we are looking at Phobos ransomware. There is no decrypter available for Phobos. Phobos usually asks for 6000 bitcoin payment in the ransomware note. Edited April 9, 2019 by itman
Juan 0 Posted April 15, 2019 Author Posted April 15, 2019 Hi team, thanks for the help, we managed to get a backup and installed everything new.
Recommended Posts