What is G-STARS Ransomware?

ransomware

G-STARS Ransomware, also known as Phobos, is a malicious program that falls under the category of ransomware. This type of malware is designed to encrypt data on the victim's system and then demand payment from the victim in exchange for the decryption key.

In various research by computer security experts, they came across G-STARS (Phobos) ransomware while analyzing new submissions on the VirusTotal site. When this ransomware infects a machine, it encrypts files and alters their names. The original filenames are appended with a unique ID, the email address of the cybercriminals, and the ".G-STARS" extension. For example, a file initially named "1.jpg" would appear as "1.jpg.id[9ECFA84E-3442].[support.antimalware@onionmail.com].G-STARS". The ransomware then creates ransom notes in both a text file ("info.txt") and a pop-up window ("into.hta").

G-STARS Ransomware ransom note

The ransom notes left by G-STARS (Phobos) provide similar information. They inform the victim that their files have been encrypted and instruct them to contact the attackers using multiple communication methods. Additionally, the notes claim that sensitive information from the compromised network, such as employee and client data, financial details, and manufacturing documents, has been exfiltrated. The attackers threaten to increase the ransom and leak the stolen content if the victim delays contacting them. They also warn against renaming the encrypted files or using third-party recovery tools, as it may render the data undecryptable.

The note reads as follows:

Hello my dear friend. All your files have been encrypted!


Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted. The only method of recovering files is to purchase decrypt tool and unique key for you.
If you want to recover your files, write us to this e-mail: support.antimalware@onionmail.com In case of no answer in 24 hours write us to this e-mail:support.antimalware@msgden.com
Our online operator is available in the messenger Telegram: @Files_decrypt or hxxps://t.me/Files_decrypt
If there is no response from our mail, you can install ICQ software on your PC here hxxps://icq.com/windows/ or on smartphone from Appstore / Google Play Market search for "ICQ"
Write to our ICQ @Ransomware_Decrypt hxxps://icq.im/Ransomware_Decrypt/ Or download the (Session) messenger (hxxps://getsession.org) in messenger: 0569a7c0949434c9c4464cf2423f66d046e3e08654e4164404b1dc23783096d313
You have to add this ID - and we will complete our converstion.
Or download the Tox Chat (hxxps://tox.chat/download.html') in messenger: C20A4B4AC30BBF70E7F2340FC0F97B08FA58B6E041557ABBF29EAF82FED0C47D79239FA26B51 You must add this ID 9ECFA84E-3442and write to us.


Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly.

Your Data
Sensitive data on your system was DOWNLOADED.
If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly.


Data includes:
Employees personal data, CVs, DL, SSN.
Complete network map including credentials for local and remote services.
Private financial information including: clients data, bills, budgets, annual reports, bank statements.
Manufacturing documents including: datagrams, schemas, drawings in solidworks format
And more...


Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
We are always ready to cooperate and find the best way to solve your problem.
The faster you write - the more favorable conditions will be for you.
Our company values its reputation. We give all guarantees of your files decryption.

Based on extensive research on ransomware, it is generally difficult to decrypt files without the attackers' assistance. Even if the ransom is paid, victims may not receive the decryption keys or tools, making data recovery uncertain. Paying the ransom also supports illegal activities, so it is not recommended.

Prevention and Removal of G-STARS Ransomware

To prevent further encryptions by G-STARS (Phobos) ransomware, it is essential to eliminate it from the operating system. However, removal will not restore already compromised files. The only reliable solution is to recover the data from a backup if one was created beforehand and stored elsewhere. It is highly advisable to maintain backups in multiple locations, such as remote servers and unplugged storage devices, to ensure data safety.

Ransomware, including G-STARS (Phobos), is often distributed through phishing and social engineering tactics. Common methods include drive-by downloads, malicious attachments and links in spam emails, online scams, malvertising, dubious download sources, illegal program activation tools, and fake updates. Some ransomware can also self-spread via local networks and removable storage devices.

These malicious programs can be disguised as ordinary files, such as executables, archives, documents, JavaScript, and more. Once a virulent file is opened, the infection chain is initiated, leading to the download and installation of the ransomware on the victim's system.

In conclusion, G-STARS Ransomware, or Phobos, is a dangerous threat that encrypts files and demands a ransom for their decryption. It is crucial to take preventive measures like keeping backups in multiple locations and being cautious while interacting with emails, downloads, and websites to avoid falling victim to such malware.

By Zane
August 4, 2023
Ransomware
English
August 4, 2023
Ransomware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Ransomware

Snick Ransomware Encrypts Several Files

Snick Ransomware is a dangerous malware threat that comes from the Makop family of malware threats. The actions of Snick Ransomware start with seeking out certain files, encrypting them, and then appending the .snick... Read more

March 3, 2022
Ransomware

Harditem Ransomware

Harditem is the name of a newly discovered strain of ransomware. The malicious program behaves like you would expect it to - it encrypts files on the victim system, scrambling most document, media and archive file... Read more

June 23, 2022
Ransomware

Prestige Ransomware Lists No Ransom Demands

Prestige is the name of a new ransomware variant that is not related to any of the big ransomware families. Prestige will encrypt files found on the victim system's drives once deployed, scrambling their contents and... Read more

October 26, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.