Phoenix Cryptolocker Ransomware Threat Intel Advisory

April 30, 2021
min read
Advisory Type
Malware Intelligence
Malware Name
Phoenix Cryptolocker
Malware Type
Target Platform

Executive Summary

Phoenix Cryptolocker ransomware is a new variant of malware that reportedly targeted the insurance giant CNA, in March 2021. CNA’s customer and employee services were disrupted for 3 days, due to the attack. The ransomware is believed to be linked to the Evil Corp threat group as its code resembles the one used by Evil Corp in its previous ransomware. The new variant targets files with multiple extensions, leaving behind a ransom note along with the threat actor’s Telegram contact, “phoenix helpdesk”.

Technical Details

Based on the assumed connection with the Evil Corp threat group the initial access to the network is done by using RDP (Remote Desktop Protocol) or by using compromised credentials to access VPS (Virtual Private Servers). The ransomware masquerades as a legitimate software signed with a digital certificate issued by “SATURDAY CITY LIMITED.” It tricks the user into launching the software. Once the ransomware is executed it enumerates the system folders and directories for specific file extensions, encrypts the targeted files, and appends a “.phoenix“ extension to the encrypted files. They then leave a ransom note in the file “phoenix-help.txt.”

Phoenix Ransome Note
Phoenix-help.txt ransom note


Technical Impact
  • This ransomware comes as a legit signed software tricking the victim to execute it.
  • Encrypting the victims data.
Business Impact
  • Encrypting the data makes a big impact on the business continuity process.
  • Affects the reputation of the victim company.


  • Maintain and update backup of all data
  • Grant only minimum levels of access/ permissions to all users
  • Isolate infected machines from the network
  • Update all credentials with a strong and secure one
  • Use updated version of AV, prevention and detection security tools
  • Use multi-factor authentication for all system accounts

Tactics, Techniques, and Procedures

T1059 Command and Scripting Interpreter
T1106 Native API
T1204 User Execution
T1047 Windows Management Instrumentation
T1543.003 Windows Service
Privilege Escalation
T1543.003 Windows Service
Defense Evasion
T1222.001 Windows File and Directory Permissions Modification
T1564.001 Hidden Files and Directories
T1218 Signed Binary Proxy Execution
T1070.004 File Deletion
T1036 Masquerading
T1027 Obfuscated Files or Information
T1027.002 Software Packing
T1083 File and Directory Discovery
T1518.001 Security Software Discovery
T1082 System Information Discovery
T1560 Archive Collected Data
T1005 Data from Local System
Command and Control
T1573 Encrypted Channel
T1486 Data Encrypted for Impact


Indicators of Compromise

No items found.