Threat Database Ransomware Phoenix Ransomware

Phoenix Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 33
First Seen: December 7, 2016
Last Seen: July 23, 2020
OS(es) Affected: Windows

When the Phoenix Ransomware was first mentioned amongst security researchers, the Trojan was still in development. Researchers found the threat while digging in reports submitted to the Google's VirusTotal platform and going on the Dark Web. Samples recovered from reports provided threat investigators with the executable to analyze, and they reveal interesting facts. The Phoenix Ransomware appears to be in development at the time of writing this. However, the Phoenix Ransomware is compact in size and can be deployed with spam emails as a file with a double extension, which may pass as a simple invoice easily.

The Phoenix Ransomware is Raised from the Hidden Tear Source Code

The researcher Utku Sen published an educational crypto-threat on the Github platform, which was used by threat actors to develop threats like the KimcilWare Ransomware and the HappyLocker Ransomware. The same source code is the basis for the Phoenix Ransomware, which is equipped with a customized AES-256 cipher and can lock data on removable drives as well. The initial version of the Phoenix Ransomware is designed to encipher files stored in the default user library and is known to target the data containers in the following formats:


The authors of the Phoenix Ransomware seem to strive to lock vaults used by software designed to keep your passwords safe, as well as commonly used data containers for text, video, audio and databases. While the danger of infection with the Phoenix Ransomware remains persistent, it is wise to keep a backup vault linked to your account. Investigators alert that brute force attacks cannot break the encryption by the Phoenix Ransomware and you should set up a backup manager. The Phoenix Ransomware is known to add the '.R.i.P' extension to modified objects. Thus, an object such as '5 billion joules of lightning.pptx' is encoded to '5 billion joules of lightning.pptx.R.i.P.' We did not find a correlation to the RIP Ransomware apart from the similar markers in use by the Trojans. The ransom message that comes with the Phoenix Ransomware lands on the PC as 'Important!.txt' and reads:

'All your files has been encrypted with strong AES-256 ciphers
Send 0.2 BTC to this address: [34 random characters]
Once you make your payment send a message in this email address:'

Contact with is not Recommended

Computer users are not advised to write to because the team behind the Phoenix Ransomware is not likely to provide a decryptor for free and may not deliver one at all. Experts recommend users perform a data recovery using backup images, archives and older versions of their files. Building backups often would ensure your data remains intact when there is a power surge, a threat attack or your drive is corrupted. Make sure you are not using files that could be accessed by the Phoenix Ransomware when you restore your data structure. PC users can remove the Phoenix Ransomware with the help of a trusted anti-malware utility that has a good record of dealing with encryption Trojans.

Related Posts


Most Viewed