Water Ransomware


.Water is a virus, member of the Phobos Ransomware family, which prevents users from access to the files they store on their computer. Through searching the hard drive of the infected device, .Water creates a list of files that are considered of great value and then encrypts them all so that a ransom can be demanded for their decryption.The .Water virus normally sneaks inside your PC without showing you any signs and without your knowledge. This Ransomware then starts to encrypt the files it considers to be the most important for you. Then, a message that appears on your monitor informs you that a ransom payment is requested to decrypt the encrypted files.

Files encrypted by Water ransomware (.water extension)
.Water ransomware encrypted files

Generally speaking, if we have to describe the term “ransomware”, it is used for software that is able to do something to your computer, and then demand a ransom to reverse it. There are various types of ransom-demanding threats such as screen-locking ransomware and mobile ransomware, but the file-encrypting one is probably the most popular and the most difficult to remove and deal with. 

Text in this ransom note and the “info.txt” file:

Unlocking your data is possible only with our software.
Important! An attempt to decrypt it yourself or decrypt it with third-party software will result in the loss of your data forever.
Contacting intermediary companies, recovery companies will create the risk of losing your data forever or being deceived by these companies. Being deceived is your responsibility! Learn the experience on the forums.
Write us to the e-mail: [email protected]
Write this ID in the title of your message –
If you have not contacted within 2 days from the moment of the incident, we will consider the transaction not completed. Your data will be sent to all interested parties. This is your responsibility.
People who you will find on the internet saying they can help you will try to scam you. Videos to youtube and other sites are fake so you shouldn’t believe it. Do not pay anyone who cannot provide an example proof files. Do not forward a payment to anyone with btc apart from us. You can get your exemplary proof file for free by contacting us with your company email.
Not a single file will be sent to any other email except the company one (This is a precaution in order to for you to not get scammed) Contacting any other third party or data rescue companies will create the risk of losing your data forever or you getting scammed by these firms. Getting scammed or not is up to you. Learn about the experiences of other people on the forums.
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
If you have not contacted within 2 days from the moment of the incident, we will consider the transaction not completed. Your data will be sent to all interested parties. This is your responsibility.
Don’t be afraid to contact us. Remember, this is the only way to recover your data.

.Water is a typical representative of the file-encrypting ransomware type. What a virus such as this one can do is it can sneak inside the machine, typically using a Trojan horse virus or some malicious component that the users have clicked on. It then checks the most commonly accessed data on all your hard drives. After that, the ransomware is ready to apply its encryption. Typically, you will receive a huge alert after the file encryption process is complete, and that alert will consist of a number of extra alerts from the hackers, ransom payment instructions and a deadline, after which the recovery of your files may not be possible.

The .Water virus

The .Water virus is a ransomware infection that is designed to generate income for its criminal creators through ruthless money extortion. What the .Water virus usually does to perform its agenda is it encrypts a variety of user files without the knowledge of the victims and then blackmails them to pay a ransom.

.Water virus ransomware text file (info.txt)
.Water virus ransomware ransom note

There may be many different ways to spread Ransomware. The malvertising method is probably the most popular one where the harmful ransomware virus can be spread through fake ads and legitimate-looking offers. You can get infected instantly by clicking on such an ad, but sadly, due to the fact that the ransomware operates without visible symptoms, you may not have a clue about the contamination. Threats like .Water could also be distributed via emails, along with a Trojan horse, or inside malicious attachments. You will automatically get the virus in them immediately after you download such an infected attachment or load a malicious file. Of course, there are other sources such as infected web pages, and platforms that stream videos and audios or distribute shareware.

The .Water file encryption

The .Water file encryption is a very malicious method that cyber criminals use to take user data hostage. The .Water file encryption is basically a process that converts a list of target user files into bits of data that cannot be opened or used in any way.

Nothing can guarantee that the encrypted files will ever be restored no matter what you do. That’s why, regardless of what you choose to do, your information will be at risk. That is why we warn you not to rush with the ransom payment immediately after the disclosure of the contamination. Seek first some other methods that can help you remove .Water and eventually save some of your files for free. Consult a person with experience in dealing with these issues, purchase a specialized program to decrypt your blocked data or try the manual instructions in the removal guide below.


Danger LevelHigh (Ransomware is by far the worst threat you can encounter)
SymptomsVery few and unnoticeable ones before the ransom notification comes up.
Distribution MethodFrom fake ads and fake system requests to spam emails and contagious web pages.
Detection Tool

Remove .Water Ransomware


Some of the steps will likely require you to exit the page. Bookmark it for later reference.

Reboot in Safe Mode (use this guide if you don’t know how to do it).



Press CTRL + SHIFT + ESC at the same time and go to the Processes Tab. Try to determine which processes are dangerous. 


Right click on each of them and select Open File Location. Then scan the files with our free online virus scanner:

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    After you open their folder, end the processes that are infected, then delete their folders. 

    Note: If you are sure something is part of the infection – delete it, even if the scanner doesn’t flag it. No anti-virus program can detect all infections.



    Hold the Start Key and R –  copy + paste the following and click OK:

    notepad %windir%/system32/Drivers/etc/hosts

    A new file will open. If you are hacked, there will be a bunch of other IPs connected to you at the bottom. Look at the image below:

    hosts_opt (1)


    If there are suspicious IPs below “Localhost” – write to us in the comments.

    Type msconfig in the search field and hit enter. A window will pop-up:



    Go in Startup —> Uncheck entries that have “Unknown” as Manufacturer.

    • Please note that ransomware may even include a fake Manufacturer name to its process. Make sure you check out every process here is legitimate.



    Type Regedit in the windows search field and press EnterOnce inside, press CTRL and F together and type the virus’s Name. 

    Search for the ransomware  in your registries and delete the entries. Be extremely careful –  you can damage your system if you delete entries not related to the ransomware.

    Type each of the following in the Windows Search Field:

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    Delete everything in Temp. The rest just check out for anything recently added. Remember to leave us a comment if you run into any trouble!



    How to Decrypt .Water files

    We have a comprehensive (and daily updated) guide on how to decrypt your files. Check it out here.

    If the guide doesn’t help, download the anti-virus program we recommended or try our free online virus scanner. Also, you can always ask us in the comments for help!

    About the author


    Lidia Howler

    Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

    Leave a Comment