.phoenix Ransomware - How to remove

The Phoenix cryptovirus is a version of the Phobos ransomware. Phoenix encrypts and renames files before demanding money for unlocking and restoring them. This illegal extortion by Phoenix has been happening since around April of 2019. Even though Phoenix is relatively new, its developers might have been active since 2017 or even earlier, extorting money from their desperate victims.

What Phoenix looks like

After the Phoenix cryptovirus has combed through a computer, most popular file formats (pictures, documents, spreadsheets) will have been locked and become unusable. The encrypted file names vary between the different variants of Phoenix, but they have the same format:

filename.extension.id[random symbols-number].[email address].phoenix

For example, a file that was named cat.jpg before the encryption could be named something like cat.jpg.id[A84ER457-1004].[[email protected]].phoenix afterward.

A ransom note named info.txt is created. It carries a. message from Phoenix’s developers:

!!! All of your files are encrypted !!!
To decrypt them send e-mail to this address: [email protected].
If we don’t answer in 48h., send e-mail to this address: [email protected]
If there is no response from our mail, you can install the Jabber client and write to us in support of [email protected]

The email addresses in the ransom note might be different. A variety of addresses are provided with all the different variants of Phoenix:

• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]

One of these email addresses, [email protected], is shared by another ransomware virus from the same family, Frendi. Both Frendi and Phoenix are considered Phobos variants, and you can find more details about Phobos in its article. These cryptoviruses have a lot of similarities with the Dharma ransomware. Take a look — even the ransom note (info.hta) is the same. There’s a lot of bolded text on a light-gray background. It starts with “All your files have been encrypted!” and then provides the email addresses to contact the extortionists. A few sections with a purple background give more details, like how to get Bitcoins.

Bitcoins would be needed to pay for the files being unlocked. The ransom is decided by the people behind Phoenix and depends on the target, but can be at least a few thousand dollars. Additionally, people sometimes have the price raised during the email exchanges. The replies often take a couple of days to come, and sometimes the letters start bouncing, the email address stops working. Even if you were willing to deal with criminals and had the money to spare, it’s still not worth trying to buy decryption from them, as the chance that everything will go smoothly and quickly is low.

How Phoenix infects computers

Remote Desktop makes servers, computers vulnerable to ransomware infections. Intruders might connect by to brute-forcing the credentials, using stolen credentials that they got in phishing attacks, or abusing security bugs, like the recently patched one which would have allowed people to run code without even logging in.

After breaking into the computer, the extortionists behind Phoenix install software that should cripple antivirus programs before starting the encryption process. It doesn’t always run smoothly, Phoenix might even experience some errors, but it will likely encrypt at least some of the files.

To avoid a Phoenix attack, the Remote Desktop connection should not be exposed than it needs to be, and accounts should have limited privileges. Login credentials should be difficult to guess, and should never be leaked. Phishing is usually done through emails, so it’s important to recognize the red flags before any passwords are exposed.

A lot of other ransomware infections spread through malicious email attachments and links, suspicious freeware bundles, and pirated software, but the recipient needs to actually open the infected file or link in order to infect the computer.

How to remove Phoenix

It’s important to remove all the malware. Ransomware is unlikely to be distributed alone, and the virus does not always delete itself, so it’s important to scan the computers and remove any malware that’s found. Spyhunter, other strong antivirus programs could do the job.

Phoenix used hybrid cryptography to make sure that the encryption isn’t broken. No free decryptor is available, but it might be worth to save the files and wait to see. The decryption keys could be leaked in the future, though that’s very unlikely.

Unless you noticed the encryption and interrupted it, the System Restore and Shadow Copies will probably be gone from the encrypted computer. But if backups are safe, they can be used to replace the encrypted files. The other ways to restore the encrypted files are listed in the guide below, and though they are not guaranteed to work, they’re probably worth trying.

Automatic Malware removal tools

How to recover .phoenix Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before .phoenix Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of .phoenix Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to .phoenix Ransomware. You can check other tools here.  

Step 3. Restore .phoenix Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually .phoenix Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover .phoenix Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.