ACTOR ransomware

ACTOR ransomware is malware that belongs to Phobos cryptovirus family

Actor ransomware
Actor ransomware is file locking virus that belongs to Phobos family

ACTOR ransomware is a files virus that was first spotted in May 2019, although numerous variants were released after that, each of which is providing different contact addresses. The virus belongs to the family of Phobos ransomware, and usually is injected manually after a successful RDP attack.[1] Upon infiltration, ACTOR ransomware scans the machine for encryptable files, such as pictures, music, videos, documents, etc., and locks them with a secure AES encryption[2] algorithm.

From that point, none of the data on the local and networked drives are accessible. Likewise, each of the files receives a marker – .actor, although there is also the victim’s ID and the associated email added after the original name of the file. For example, a locked file would look as follows: picture.jpg.[6R741B00-2224].[[email protected]].actor. Typically, the virus also drops two ransom notes – a brief one info.txt and Info.hta, which explains to victims how to proceed next in order to retrieve the ACTOR ransomware decryption tool.

As it is typical with Phobos variants, ACTOR virus does not provide ransom amount, and users are urged to contact hackers via email to negotiate the payment in Bitcoin. However, contacting cybercriminals is not recommended, as there is a chance of being scammed.

Name ACTOR ransomware
Type Cryptovirus, file locking malware
Family Phobos
Main targets Malware primary targets public entities and companies by utilizing poorly protected RDP connections
File extension Each of the non-system and non-executable files receive .actor appendix. However, Phobos is known to use more complicated file name modifications, which consist of an ID and a contact email
Ransom note

Two ransom notes are placed on the desktop and each of the infected files folders: info.txt and Info.hta


There has been multiple Actor virus variants released, and they provide the following contact emails:

File decryption  There is no decryption tool available, so the only safe way to retrieve data is via backups. However, it is worth trying using third-party recovery software if there is are no backups available. Paying criminals is risky, as there is no guarantee that they will send a working ACTOR ransomware decryptor
Malware removal  Employ reputable anti-malware software to get rid of ransomware. Accessing Safe Mode with Networking can be useful as well, as malware might be programmed to hinder its removal
System recovery If you experience system crashes or errors after malware elimination, use PC repair software Reimage Reimage Cleaner  

Since ACTOR ransomware is a variant of Phobos, it is very likely that its main targets are public companies that are accessed via poorly protected or unprotected Remote Desktop ports. Once hackers break-in, they can install malware manually, as well as perform other actions as required (for example, they can disable security solutions altogether). 

Many ransomware viruses might self delete after encryption is performed. However, there is no guarantee for that, so it is important to check the computer with anti-malware software. Note that ACTOR ransomware might be spread with the help of a backdoor, which might be able to perform other malicious functions, such as keystroke logging. Thus, make sure you pick a reliable anti-malware software to remove ACTOR ransomware promptly. Currently, multiple AVs recognize the virus as follows:[3]

  • Trojan.Ransom.Phobos.E
  • Win/malicious_confidence_80% (W)
  • Trojan:Win32/Tiggre!rfn
  • A Variant Of Win32/Injector.EGEN
  • Artemis!C622680D31E3
  • HEUR:Trojan-PSW.Win32.Agent.gen, etc.

Once the system is infected, the Actor virus attempts to delete Shadow Volume Copies and disable System restore features. Additionally, the malware also modifies the Windows registry to increase its persistence. As a result, restoring encrypted data becomes much more complicated.

Data encryption process renders all personal files useless, and victims are presented with a ransom note which explains:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
Write this ID in the title of your message 
In case of no answer in 24 hours write us to this e-mail:[email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

We suggest you do not agree to fulfill hackers’ demands and instead try alternative data redemption methods. While Phobos ransomware family is still not decryptable, there is a possibility that security researchers might discover vulnerabilities within the code and release a free ACTOR ransomware decryptor in the future.

Note that, before you perform ACTOR ransomware removal, you should first backup all your encrypted data, as the process might damage it beyond repair. Then access Safe Mode with Networking and scan your machine with anti-malware software. Finally, to remediate the Windows system, we suggest using Reimage Reimage Cleaner .

Protect yourself from getting infected with ransomware

Malware developers are sophisticated individuals who chose to use their intelligence for malicious deeds. For that reason, they always seek ways to improve the malware and infect as many victims as possible to have a chance at a bigger payout from the victims. In most of the cases, hackers use several ransomware distribution methods, although some groups choose to stick to one or two.

Currently, ransomware that targets organizations is mostly being imported via targeted phishing emails or RDP attacks. Because threat actors can ask companies for larger ransom sums, they are willing to put in the effort to dig up the required credentials or contact as well as the names of the employees.

Regardless of what malware developers choose as their primary malware distribution method, companies (as well as regular computer users) can repel malware attacks by following these simple security tips from industry experts:[4]

  • Implement and comprehensive security software with real-time protection feature;
  • Always install the latest Windows and other software updates as soon as they are out;
  • Protect the Remote Desktop services wit ha strong password and never use default TCP/UDP port 3389;
  • Prepare and maintain data backups;
  • Do not open spam email attachments that ask you to enable macro feature;
  • Watch out for hyperlinks inside suspicious emails;
  • Never download pirated software or keygens/cracks/loaders, etc.;
  • use strong passwords for all your accounts.

Get rid of ACTOR ransomware

You should not rush ACTOR ransomware removal, as it might permanently damage all your files located on the local and networked drives. Thus, before you do anything, you should first copy all the encrypted data to the external HDD, USB stick, or a remote cloud server. Once that is done, you should then perform a full system scan with anti-malware software, such as SpyHunter 5Combo Cleaner or Malwarebytes. If that does not work, it might be that the ransomware is tampering with the anti-malware program. In such a case, access Safe Mode with Networking and perform a full scan from there.

Once you remove ACTOR ransomware, you can then attempt to recover your data. As we explained before, without paying hackers, chances of restoring encrypted files are relatively low. However, it does not mean you should pay criminals, as you might end up losing not only your files but also your money. Instead, you could try our methods provided below.

Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Remove ACTOR using Safe Mode with Networking

Access Safe Mode with networking if your anti-malware software is not working properly due to the ransomware infection:

  • Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8

    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete ACTOR removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove ACTOR using System Restore

System Restore can also be used in order to delete the malicious files from the system:

Bonus: Recover your data

Guide which is presented above is supposed to help you remove ACTOR from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by ACTOR, you can use several methods to restore them:

You can try using Data Recovery Pro for data restoration

If you did not use your PC much after the infection, you might be able to restore at least some portion of your files with Data Recovery Pro.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by ACTOR ransomware;
  • Restore them.

Windows Previous Versions feature might work

This method will only work if you had System Restore feature enabled.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Make use of ShadowExplorer

ShadowExplorer might recover all your files encrypted by ACTOR ransomware, as long as Shadow Volume Copies were not deleted during the infection process.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from ACTOR and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

This entry was posted on 2019-12-20 at 11:56 and is filed under Ransomware, Viruses.