Everything You Need to Know About Phoenix Ransomware

How Phoenix ransomware works

Phoenix is a Hidden Tear based malware that is better known as an open source ransomware project. It works by following successful infiltration while encrypting all the files using advanced AES-256 encryption algorithm. In most cases, it renames the affected files with R.i.P extension. For instance, a file that is already saved as sample.jpg will be turned into sample.jpg.R.i.P. At the same time, Phoenix creates a text file that contains a ransom-demand message. It usually stays on the desktop, and the text file may appear like Important!.txt.

The message included in the text file of Phoenix ransomware is usually a shorter one when compared to other ransomware messages. It may state that all the files are encrypted, and the user can restore them only after paying Bitcoins. It is important to understand that AES-256 is a symmetric algorithm for encryption. It cannot be decrypted without a unique key. The developers usually store the secret key at some remote server, and then ransomware victims are forced to make some payment to gain access to their files.

How Phoenix ransomware infects computers

The Phoenix ransomware usually spreads via HiddenTear infection sources, browser hijackers, spam email messages, infected software bundle downloads from some untrusted P2P networks or websites. Experts advise not to download anything randomly from the internet as it may contain dangerous viruses or ransomware as well. Do not click on the links included in the random emails and don’t download the unexpected or unwanted email attachment. Untrusted files further lead to system infection and may pose serious threats to your stored data as well.

How to get rid of Phoenix ransomware?

The manual threat removal usually appears too complicated and lengthy process, and it needs advanced computer skills. The guide below can help you to remove Phoenix ransomware fast to ensure property working of the system. Here we are going to explain the technique to remove ransomware from your system using the restore method:

  • First of all, the user needs to login to the account that is infected by Phoenix virus. Get a trusted anti-spyware program. Now start full system scan and remove all detected entries.
  • When your computer is just turning on, press F8 key on the keyboard several times as long as the system screen displays some menu options. Now choose Safe Mode via command prompt and press Enter.
  • As soon as command prompt window opens, write cd restore and hit enter.
  • Now enter rstrui.exe and again hit enter button.
  • It will soon open a new window where you need to click next.
  • Choose the available Restore Point and hit Next; preferably choose the point right before the attack of Ransomware.
  • It is time to restore your system to the desired previous date and then hit Ok on the window.

If the above steps do not help, you can try this ransomware removal guide. It offers more removal options as well as some file decryption tips.

How to protect from ransomware?

  • Prefer to backup your data from time to time.
  • Don’t open attachments that are generated from untrusted sources.
  • Never forget to secure your browser.
  • Keep a regular track of software updates.
  • Use strong and complex passwords.


John Dee is a Mac addict with a strong background in analyzing and combating security threats to the Macintosh ecosystem. John runs MacSecurity.net website specializing in malware research, software reviews, and groundbreaking industry news. It is his firm belief that underestimating Mac malware is like ignoring the elephant in the room. In his day-to-day work, John focuses on identifying new electronic perils potent enough to create ripples on the Mac security arena. On top of that, he is particularly enthusiastic about implementing effective countermeasures to fend off these menaces.





Skip to toolbar