[URL=https://www.hybrid-analysis.com/sample/2ad9911e932291547af58d0cb504b4fffd861ba819746908f5adf08fb9484d4d]https://www.hybrid-analysis.com/sample/2ad9911e932291547af58d0cb504b4fffd861ba819746908f5adf08fb9484...[/URL]

готово.

[URL=https://www.virustotal.com/gui/file/a2a4bdcec36d216fd92b9c4d784f0db11929ccd59f93713b0c51d58a8e51cd1b/detection]https://www.virustotal.com/gui/file/a2a4bdcec36d216fd92b9c4d784f0db11929ccd59f93713b0c51d58a8e51cd1b...[/URL]

Изначальная записка выше, далее пришел такой ответ:

Decoding Files 0,7 btc tommorow 0,9 btc - 1 PC =From 3 PC-price negotiable pay in Bitcoin (BTC) translation at the expense of Bitcoin 33PeMvvFuRvy5FUdcB3jwJoWHKfkmf3AqA
Buy Bitcoin here [URL=https://localbitcoins.com]https://localbitcoins.com[/URL] or [URL=https://www.buybitcoinworldwide.com/find-exchange/]https://www.buybitcoinworldwide.com/find-exchange/[/URL] or [URL=https://www.coinbase.com]https://www.coinbase.com[/URL] or [URL=https://www.xmlgold.eu]https://www.xmlgold.eu[/URL] or any other exchanger or write to Google how to buy Bitcoin in your country?
in order to guarantee the availability of our key we can decrypt one file for free the size of the files <1 mb, doc.docx.xls.xlsx.pdf.jpg.bmp.txt file format other formats will not be free decryption after payment you will receive a program how many computers do you have encrypted ?
what country are you from ?

each decryption key is worth the money. no money, no transcript

we also offer service to you. full of advice for protecting against attacks? - the price of 0.1 BTC and remember our work is very hard. and it requires a lot of time and costs.

If there is no response from our mail, you can install the Jabber client and write to us in support of [URL=mailto:[email protected]][email protected][/URL] or [URL=mailto:[email protected]][email protected][/URL]

Приложил 2 закодированных и 2 оригинальных файла.

Файл из карантина  на Virus total отправил.
Что дальше?

Добрый день. Поймали шифровальщика phoenix/phobos. Видимо через rdp.
Есть ли возможность расшифровать?

все файлы имеют вид  -

xxx.yyy.id[много цифр].[[URL=mailto:[email protected]][email protected][/URL]].phoenix

на диске с файл с текстом:

!!! All of your files are encrypted !!!
To decrypt them send e-mail to this address: [URL=mailto:[email protected]][email protected][/URL].
If we don't answer in 24h., send e-mail to this address: [URL=mailto:[email protected]][email protected][/URL]
If there is no response from our mail, you can install the Jabber client and write to us in support of [URL=mailto:[email protected]][email protected][/URL]