Phoenix Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 33 |
First Seen: | December 7, 2016 |
Last Seen: | July 23, 2020 |
OS(es) Affected: | Windows |
When the Phoenix Ransomware was first mentioned amongst security researchers, the Trojan was still in development. Researchers found the threat while digging in reports submitted to the Google's VirusTotal platform and going on the Dark Web. Samples recovered from reports provided threat investigators with the executable to analyze, and they reveal interesting facts. The Phoenix Ransomware appears to be in development at the time of writing this. However, the Phoenix Ransomware is compact in size and can be deployed with spam emails as a file with a double extension, which may pass as a simple invoice easily.
The Phoenix Ransomware is Raised from the Hidden Tear Source Code
The researcher Utku Sen published an educational crypto-threat on the Github platform, which was used by threat actors to develop threats like the KimcilWare Ransomware and the HappyLocker Ransomware. The same source code is the basis for the Phoenix Ransomware, which is equipped with a customized AES-256 cipher and can lock data on removable drives as well. The initial version of the Phoenix Ransomware is designed to encipher files stored in the default user library and is known to target the data containers in the following formats:
.TXT, .DOC, .DOCX, .XLS, .XLSX, .PPT, .PPTX, .ODT, .JPG, .PNG, .SQL, .MDB, .SLN, .PHP, .ASP, .ASPX, .HTML, .XML, .PSD, .INF .CS, .VB, .CSPROJ, .VBPROJ, .K2P.
The authors of the Phoenix Ransomware seem to strive to lock vaults used by software designed to keep your passwords safe, as well as commonly used data containers for text, video, audio and databases. While the danger of infection with the Phoenix Ransomware remains persistent, it is wise to keep a backup vault linked to your account. Investigators alert that brute force attacks cannot break the encryption by the Phoenix Ransomware and you should set up a backup manager. The Phoenix Ransomware is known to add the '.R.i.P' extension to modified objects. Thus, an object such as '5 billion joules of lightning.pptx' is encoded to '5 billion joules of lightning.pptx.R.i.P.' We did not find a correlation to the RIP Ransomware apart from the similar markers in use by the Trojans. The ransom message that comes with the Phoenix Ransomware lands on the PC as 'Important!.txt' and reads:
'All your files has been encrypted with strong AES-256 ciphers
Send 0.2 BTC to this address: [34 random characters]
Once you make your payment send a message in this email address: dj.elton@hotmail.co.uk'
Contact with Dj.elton@hotmail.co.uk is not Recommended
Computer users are not advised to write to dj.elton@hotmail.co.uk because the team behind the Phoenix Ransomware is not likely to provide a decryptor for free and may not deliver one at all. Experts recommend users perform a data recovery using backup images, archives and older versions of their files. Building backups often would ensure your data remains intact when there is a power surge, a threat attack or your drive is corrupted. Make sure you are not using files that could be accessed by the Phoenix Ransomware when you restore your data structure. PC users can remove the Phoenix Ransomware with the help of a trusted anti-malware utility that has a good record of dealing with encryption Trojans.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.