Ransomware Group

Phoenix

Also known as: PhoenixLocker, PX-Ransom, Rebirth

Status: active • First seen 2024-01200+ known victims

Phoenix is made up of experienced ransomware criminals from other groups that got shut down. They know how to avoid security software because they have done this before.

Overview

Phoenix ransomware emerged from former members of disbanded ransomware operations. They recruit experienced affiliates and have advanced evasion capabilities to avoid endpoint detection.

Target Industries

Manufacturing, Healthcare, Education, Government

How They Attack

  • EDR evasion
  • Cobalt Strike
  • Initial access brokers
  • Triple extortion

Notable Victims

Hospital systems (2024), Manufacturing firms (2025)

Is your business exposed?

How to Protect Against Phoenix

  1. 1.

    Ensure EDR is fully deployed and updated

  2. 2.

    Monitor for Cobalt Strike indicators

  3. 3.

    Block known IAB infrastructure

MITRE ATT&CK Techniques

T1562.001, T1219, T1486, T1567

Related Groups

Conti, Lockbit

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices