Remove Phantom ransomware and recover files

Phantom ransomware is file-encrypting malware that takes files for hostage, adds the .phantom file extension, and demands payment to recover them.


Screenshot (59)

Phantom ransomware, also known as PhantomChina ransomware, is malware that encrypts files. Based on the ransom note, it appears that Phantom malware primarily targets Chinese-speaking users. However, it could also infect computers all over the world. It’s a fairly typical ransomware that spreads via the usual methods, encrypts files and then demands that victims pay for their decryption. Users can recognize that it’s Phantom ransomware present on their computers by the extension .phantom (e.g. image.jpg.phantom) added to the encrypted files.

Once files become encrypted, users will be unable to open them. The only way to decrypt them would be to use the decryption tool offered by the cyber criminals operating this ransomware. They offer the tool in the ransom note !How_To_Decrypt_My_File_ 如何 解密 的 的 文件.hta but do not specify how much victims need to pay. The note only mentions that the price depends of how quickly victims write them. It’s likely that the price will be somewhere between $100 and $500. Whatever the requested sum is, we do not recommend paying. The thing about these ransom payments is that file decryption is not guaranteed. There have been plenty of users who received broken decryption tools, or did not receive one at all.

Malware researchers do release free decryptors to help users recover files without paying the ransom, but it’s not a guarantee. Not all malware is decryptable, but if a decryptor were to be released, it would become available on NoMoreRansom. Since this is a relatively new ransomware, a free decryption tool is yet to be released. The only sure way to recover files is via backup. However, users should take care to first remove Phantom ransomware and only then access backup. Otherwise, backed up files may become encrypted as well.

Ransomware distribution methods

Phantom ransomware uses the typical distribution methods, including spam email, torrents, fake update notifications, and malicious ads. Developing good browsing habits could help users avoid the majority of malware.

Spam emails are one of the most common ways ransomware is distributed. Cyber criminals purchase email addresses leaked from old data breaches, and proceed to launch a spam campaign that spreads ransomware. Malicious files are attached to emails that try to resemble important emails sent by legitimate companies or goverment organizations. Commonly, the emails claim that opening the attached file is highly important as it contains a document users need to review. However, while those emails try to appear like some kind of official correspondence, they do a very poor job at that. They’re full of grammar and spelling mistakes, make little sense, and just generally seem off somehow. It’s highly recommended to scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

Users can also pick up various malware by downloading from torrents. It’s common knowledge that torrent sites are not regulated properly, meaning cyber criminals can easily disguise malware as legitimate torrents for popular movies, TV series, games, software, etc. Using torrents to download copyrighted content is not only stealing, it’s also dangerous, as malware could be lurking.

We should also warn users that installing updates is very important. They patch known vulnerabilities that malware can use to get in. It’s recommended to turn on automatic updates whenever possible.

Can you recover Phantom encrypted files

As soon as PhantomChina ransomware is initiated, it will start encrypting files users would find most valuable. That includes photos, videos, documents, etc. All encrypted files will have the .phantom file extension added to them. For example, “image.jpg” would become “image.jpg.phantom”. The extension added to encrypted files often helps users find out which ransomware they are dealing with exactly. Once files have been encrypted, a ransom note !How_To_Decrypt_My_File_ 如何 解密 的 的 文件.hta is dropped. The note explains that files have been encrypted and that paying the ransom is necessary to recover them. As we said above, the note does not specify how much users would need to pay, only that the price will be determined by how quickly victims message these cyber criminals.

This is the ransom note:

If you want to restore them, write us to the e-mail:
Write this Your ID in the body of your message
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption test as guarantee !

Integrity is our principle!
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.)
Attention !

Do not rename encrypted files !
Do not try to decrypt your data using third party software, it may cause permanent data loss !
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam !
Your ID:

Because there are no guarantees that files would be decrypted, paying the ransom is never recommended. Users should not forget that they are dealing with cyber criminals who care very little whether victims recover files.

Unfortunately, currently the only way to recover files is via backup. Users who have backed up files prior to infection can start file recovery as soon as they delete Phantom ransomware fully. Users who do not have backup, should back up encrypted files and wait for a free decryption tool to become available.

Phantom ransomware removal

Users need to use anti-malware software to remove Phantom ransomware. Manual Phantom ransomware removal could do even more damage if users do not know what they are doing, as ransomware is a complex infection. Once the malware is no longer present, victims can proceed to file recovery.