phoenix Removal Guide

What is phoenix

The phoenix cryptovirus is a version of the Phobos ransomware. phoenix encrypts and renames files before demanding money for unlocking and restoring them. This illegal extortion by phoenix has been happening since around April of 2019. Even though phoenix is relatively new, its developers might have been active since 2017 or even earlier, extorting money from their desperate victims.

What phoenix looks like

After the phoenix cryptovirus has combed through a computer, most popular file formats (pictures, documents, spreadsheets) will have been locked and become unusable. The encrypted file names vary between the different variants of phoenix, but they have the same format: For example, a file that was named cat.jpg before the encryption could be named something like afterward.

phoenix Removal Guide

A ransom note named info.txt is created. It carries a. Message from phoenix’s developers: The email addresses in the ransom note might be different. A variety of addresses are provided with all the different variants of phoenix:

Download Removal Toolto remove phoenix

One of these email addresses,, is shared by another ransomware virus from the same family, Frendi. Both Frendi and phoenix are considered Phobos variants, and you can find more details about Phobos in its article. These cryptoviruses have a lot of similarities with the Dharma ransomware. Take a look — even the ransom note (info.hta) is the same. There’s a lot of bolded text on a light-gray background. It starts with “All your files have been encrypted!†and then provides the email addresses to contact the extortionists. A few sections with a purple background give more details, like how to get Bitcoins.

Bitcoins would be needed to pay for the files being unlocked. The ransom is decided by the people behind phoenix and depends on the target, but can be at least a few thousand dollars. Additionally, people sometimes have the price raised during the email exchanges. The replies often take a couple of days to come, and sometimes the letters start bouncing, the email address stops working. Even if you were willing to deal with criminals and had the money to spare, it’s still not worth trying to buy decryption from them, as the chance that everything will go smoothly and quickly is low.

How phoenix infects computers

Remote Desktop makes servers, computers vulnerable to ransomware infections. Intruders might connect by to brute-forcing the credentials, using stolen credentials that they got in phishing attacks, or abusing security bugs, like the recently patched one which would have allowed people to run code without even logging in. After breaking into the computer, the extortionists behind phoenix install software that should cripple antivirus programs before starting the encryption process. It doesn’t always run smoothly, phoenix might even experience some errors, but it will likely encrypt at least some of the files.

Download Removal Toolto remove phoenix

To avoid a phoenix attack, the Remote Desktop connection should not be exposed than it needs to be, and accounts should have limited privileges. Login credentials should be difficult to guess, and should never be leaked. Phishing is usually done through emails, so it’s important to recognize the red flags before any passwords are exposed.

A lot of other ransomware infections spread through malicious email attachments and links, suspicious freeware bundles, and pirated software, but the recipient needs to actually open the infected file or link in order to infect the computer.

How to remove phoenix

It’s important to remove all the malware. Ransomware is unlikely to be distributed alone, and the virus does not always delete itself, so it’s important to scan the computers and remove any malware that’s found. Anti-Malware Tool, Anti-Malware Tool, other strong antivirus programs could do the job. phoenix used hybrid cryptography to make sure that the encryption isn’t broken. No free decryptor is available, but it might be worth to save the files and wait to see. The decryption keys could be leaked in the future, though that’s very unlikely.

Unless you noticed the encryption and interrupted it, the System Restore and Shadow Copies will probably be gone from the encrypted computer. But if backups are safe, they can be used to replace the encrypted files. The other ways to restore the encrypted files are listed in the guide below, and though they are not guaranteed to work, they’re probably worth trying.

Stage 1: Delete Browser Extension

First of all, we would recommend that you check your browser extensions and remove any that are linked to phoenix. A lot of adware and other unwanted programs use browser extensions in order to hijacker internet applications.

Remove phoenix Extension from Google Chrome

  1. Launch Google Chrome.
  2. In the address bar, type: chrome://extensions/ and press Enter.
  3. Look for phoenix or anything related to it, and once you find it, press ‘Remove’.

Uninstall phoenix Extension from Firefox

  1. Launch Mozilla Firefox.
  2. In the address bar, type: about:addons and press Enter.
  3. From the menu on the left, choose Extensions.
  4. Look for phoenix or anything related to it, and once you find it, press ‘Remove’.

Delete phoenix Extension from Safari

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Select Preferences from the list.
  4. Choose the Extensions tab.
  5. Look for phoenix or anything related to it, and once you find it, press ‘Uninstall’.
  6. Additionally, open Safari Settings again and choose Downloads.
  7. If phoenix.safariextz appears on the list, select it and press ‘Clear’.

Remove phoenix Add-ons from Internet Explorer

  1. Launch Internet Explorer.
  2. From the menu at the top, select Tools and then press Manage add-ons.
  3. Look for phoenix or anything related to it, and once you find it, press ‘Remove’.
  4. Reopen Internet Explorer.In the unlikely scenario that phoenix is still on your browser, follow the additional instructions below.
  5. Press Windows Key + R, type appwiz.cpl and press Enter
  6. The Program and Features window will open where you should be able to find the phoenix program.
  7. Select phoenix or any other recently installed unwanted entry and press ‘Uninstall/Change’.

Alternative method to clear the browser from phoenix

There may be cases when adware or PUPs cannot be removed by simply deleting extensions or codes. In those situations, it is necessary to reset the browser to default configuration. In you notice that even after getting rid of weird extensions the infection is still present, follow the below instructions.

Use Chrome Clean Up Tool to Delete phoenix

  1. Launch Google Chrome.
  2. In the address box, type: chrome://settings/ and press Enter.
  3. Expand Advanced settings, which you can find by scrolling down.
  4. Scroll down until you see Reset and Cleanup.
  5. Press on Clean up computer. Then press Find.

This Google Chrome feature is supposed to clear the computer of any harmful software. If it does not detect phoenix, go back to the Clean up computer and reset settings.

Reset Mozilla Firefox to Default

If you still find phoenix in your Mozilla Firefox browser, you should be able to get rid of it by restoring your Firefox settings to default. While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

Download Removal Toolto remove phoenix
  1. Launch Mozilla Firefox
  2. Into the address box, type: about:support and press Enter.
  3. You will be redirected to a Troubleshooting Information page.
  4. From the menu on the right side, select Refresh Firefox.
  5. Confirm your choice by clicking Refresh Firefox in the new window.
  6. Your browser will close automatically in order to successfully restore the settings.
  7. Press Finish.

Reset Safari Browser to Normal Settings

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Press Reset Safari.
  4. A new window will appear. Select the boxes of what you want to reset or use the screenshot below to guide you. Once you have selected everything, press ‘Reset’.
  5. Restart Safari.

Restore Internet Explorer to Default Settings

  1. Launch Internet Explorer.
  2. From the top menu, press on Tools and then Internet Options.
  3. In the new window that opens, choose the Advanced tab.
  4. At the bottom of the window, below Reset Internet settings, there will be a ‘Reset’ button. Press that.

While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>