Phantom Ransomware Decryptor
Our security research and response division has designed a specialized decryptor for Phantom ransomware, a variant built upon the open-source Hidden Tear framework. This strain employs robust hybrid encryption using AES-256 and RSA-2048 and renames every encrypted file by adding the “.Phantom” extension.
The decryptor is engineered to:
- Examine encrypted samples safely within an isolated forensic sandbox,
- Identify the exact Phantom build and the victim-specific identifiers it uses, and
- Restore encrypted data through a verified and controlled decryption sequence while generating detailed integrity and audit logs.
It works seamlessly in both cloud-based (for speed and scalability) and offline/air-gapped (for high-security or government networks) modes. Every run begins with read-only validation, ensuring that no evidence is altered before recovery begins.
How the Phantom Decryptor Works
Once encrypted samples and ransom notes are submitted, our decryptor initiates a variant mapping process that inspects encryption headers, algorithmic structures, and Hidden Tear key logic.
If the pattern matches previously cataloged encryption sequences, our analysts conduct a Proof-of-Concept (PoC) decryption on small test files. Upon confirmation, complete recovery proceeds under controlled conditions, producing verifiable logs suitable for compliance and insurer documentation.
Requirements for operation:
- Original ransom notes (readme.txt or info.hta)
- Two to five encrypted file copies (with .Phantom extension)
- Administrative access on a secure recovery host
- Optional internet connection (cloud-assisted) or offline analysis environment
Immediate Steps to Take After Detecting Phantom Ransomware
Act quickly and systematically to maximize data recovery potential.
- Disconnect and isolate all affected machines from LANs, Wi-Fi, VPNs, and shared drives to stop the ransomware’s spread.
- Preserve all encrypted files and ransom notes in their original form — do not rename, delete, or modify them.
- Create a RAM dump, if possible. Volatile memory may contain live keys or encryption artifacts valuable for decryption analysis.
- Gather forensic evidence, including antivirus logs, Windows event records, firewall activity, proxy logs, and any suspicious timestamps.
- Engage specialists immediately. Do not contact the attackers at @Decryptor_run (Telegram) or [email protected]. Communications with threat actors should only occur through verified professionals.
How to Restore Files Encrypted by Phantom
Free Recovery Methods
Recover from Offline or Immutable Backups
Offline or cloud-isolated backups remain the safest way to restore data. Always verify backup integrity through checksum validation or by mounting snapshots in a secure sandbox. Phantom ransomware may attempt to destroy or encrypt backups that are directly connected.
Use Hypervisor Snapshots
If your virtualized environment (e.g., VMware or Hyper-V) maintains pre-infection snapshots, revert to those versions after confirming they have not been altered.
Paid and Specialized Recovery Methods
Professional Decryptor Service
Our decryptor service starts with a PoC decryption on a few small files to prove capability. Once validated, full recovery takes place in a monitored, logged, and forensically verified environment.
Ransom Payment (last resort)
While some victims have opted to pay, there is no guarantee the criminals will supply a functioning decryptor. Payments often support further cybercrime. Consider this step only after consulting legal advisors and your cyber-insurance provider.
How to Use Our Phantom Decryptor — Step-by-Step
Assess the Infection
Check for the .Phantom extension and verify the presence of ransom notes named readme.txt or info.hta.
Secure the Environment
Disconnect compromised systems from the internet and shared resources to halt further encryption.
Engage Our Recovery Team
Send a few encrypted samples and the ransom notes for variant confirmation. Our analysts will assess the case and provide an estimated recovery timeline.
Run Our Decryptor
Start the Phantom Decryptor as an administrator for optimal results. Internet access is necessary only for cloud verification; offline mode is available when required.
Enter Your Victim ID
Locate the unique Victim ID within the ransom note and input it into the decryptor to associate your encryption session.
Start the Decryptor
Initiate the process and let the tool restore your data to its original state while automatically generating proof-of-integrity logs for auditing.
Inside Phantom Ransomware
Overview
Phantom ransomware is a Hidden Tear-based crypto-malware family that leverages the combined power of AES-256 for data encryption and RSA-2048 for key protection. Encrypted files receive the .Phantom suffix (e.g., photo.jpg.Phantom).
Behavior
After execution, Phantom encrypts most common file formats — including office documents, PDFs, photos, databases, and media archives. It drops two ransom notes: a plain text file (readme.txt) and an HTML Application pop-up (info.hta). Victims are told to contact attackers through Telegram @Decryptor_run or email [email protected] and are offered free decryption of up to two small files as proof of authenticity.
Distribution Methods
The malware typically infiltrates via phishing emails, malicious attachments, pirated or cracked software, fake update prompts, and exploit kits. It can also propagate through infected USB drives, torrent sites, and drive-by downloads from compromised web pages.
Name, File Extension & Ransom Notes
Name: Phantom
Encrypted File Extension: .Phantom
Ransom Notes: readme.txt and info.hta
Excerpt from info.hta (popup window)
ALL YOUR VALUABLE DATA WAS ENCRYPTED!
due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
Write this ID in the title of your message:-
Faster support Write Us To The ID-Telegram:@Decryptor_run (hxxps://t.me/Decryptor_run)
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information.
How to obtain Bitcoins
The easiest way to buy bitcoins is via the LocalBitcoins website. Register, click ‘Buy bitcoins’, and select a seller by payment method and price.
Alternatively, find other places to buy Bitcoins and a beginners guide here:
http://www.coindesk.com
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software; it may cause permanent data loss.
Decryption using third parties may result in increased price (they add their fee) or you may become a victim of a scam.
Excerpt from readme.txt:
ALL YOUR VALUABLE DATA WAS ENCRYPTED!
All your files were encrypted with strong crypto algorithm AES-256 + RSA-2048.
Please be sure that your files are not broken and you can restore them today.
If you really want to restore your files please write us to the e-mails:
Faster support Write Us To The ID-Telegram: @Decryptor_run (hxxps://t.me/Decryptor_run)
In subject line write your ID: 9ECFA84E
Important! Please send your message to all of our 3 e-mail addresses. This is really important because of delivery problems of some mail services!
Important! If you haven’t received a response from us within 24 hours, please try to use a different email service (Gmail, Yahoo, AOL, etc).
Important! Please check your SPAM folder each time you wait for our response! If you find our email in the SPAM folder please move it to your Inbox.
Important! We are always in touch and ready to help you as soon as possible!
Attach up to 2 small encrypted files for free test decryption. Please note that the files you send us should not contain any valuable information. We will send you test decrypted files in our response for your confidence.
Of course you will receive all the necessary instructions how to decrypt your files!
Important!
Please note that we are professionals and just doing our job!
Please do not waste time and do not try to deceive us – it will result only in a price increase!
We are always open for dialogue and ready to help you.
IOCs, Detections & Technical Artifacts
Detection Names (by Major Security Vendors):
- Avast → Win32:MalwareX-gen [Misc]
- Combo Cleaner → Generic.Ransom.Hiddentear.A.8BD56EEA
- ESET NOD32 → A Variant Of MSIL/Filecoder.BNN
- Kaspersky → HEUR:Trojan-Ransom.MSIL.Spora.gen
- Microsoft → Ransom:Win32/Paradise.BC!MTB
Confirmed Indicators:
- File extension .Phantom
- Ransom notes readme.txt & info.hta
- Communication through Telegram @Decryptor_run and email [email protected]
- Victim ID example: 9ECFA84E
Behavioral Characteristics:
- Encrypts multiple file categories: documents, databases, and media files.
- Drops ransom notes into each encrypted folder.
- Displays a persistent info.hta pop-up at startup.
- Deletes Windows shadow copies to block restoration.
- Writes registry keys for persistence and auto-note display.
Tactics, Techniques & Procedures (TTPs)
- Initial Access: via phishing emails, trojanized downloads, malicious cracks, or fake software updates.
- Execution: encrypts files using AES-256, wraps keys with RSA-2048, and appends the .Phantom extension.
- Persistence: edits Windows registry for startup and ransom-note execution.
- Defense Evasion: deletes shadow copies, disables recovery utilities, and clears system event logs.
- Impact: encrypts vital user and business data, demands Bitcoin payment, and disrupts recovery mechanisms.
Victim Landscape — Geographic and Sector Overview
Regions Impacted:
Affected Sectors:
Infection Timeline:
Conclusion
Phantom ransomware represents a modernized version of Hidden Tear, integrating strong encryption with new delivery channels. To mitigate damage:
- Immediately isolate infected systems and preserve all evidence.
- Use verified decryption services that demonstrate proof-of-concept recovery.
- Avoid ransom payments whenever possible.
- Strengthen defense with patch management, MFA, phishing awareness, and offline backup enforcement (3-2-1 model).
Do not experiment with unknown decryptors found online — they may worsen file damage or implant additional malware. Always coordinate through trusted professionals, legal advisors, and law enforcement.
MedusaLocker Ransomware Versions We Decrypt