The malware family that produces custom made ransomware, known as Xorist has been around for quite some time now. It is being sold as a custom program that is available on the black market, and anyone who knows how to look for it can buy it online. The ransomware includes custom decryptor and other features such as setting which file extensions to look for and others. Users who have been affected by this threat should immediately use the instructions below to remove it and restore their files.
|Short Description||Encrypts user files adding a custom file extension, for example New Text Document.txt.73i80A and extorting for money in return for file decryption.|
|Symptoms||The user may witness his files being encoded along with a ransom message.|
|Distribution Method||Via malicious URLs or file attachments.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Xorist|
|User Experience||Join our forum to discuss Xorist.|
Xorist Ransomware – How Is It Spread
To infect users, cyber-criminals who purchased this ransomware may spam it all over the web. Most cyber-crooks prefer methods that are not publicly visible, such as uploading an exploit kit in a malicious URL that will infect your computer with Xorist via downloading it and starting it on your PC. The malicious links may be distributed in online chat platforms or email spam such as the example below:
Users who see such links should immediately take actions to implement spam filtering and educate themselves always to check unknown web links or attached documents in websites, like VirusTotal.
Xorist Ransomware In Detail
After it has been created, and activated on your computer, the ransomware may drop its payload modules that scan for and encrypt your files in one of the following Windows folders:
After this is done, Xorist may modify the registry entries of your computer, to make the malicious executable(s) run every time Windows starts. This can happen by adding values and data in the following subkey:
After this is done and your PC is rebooted, the ransomware begins to scan for the following files and encrypt them:
→ *.zip, *.rar, *.7z, *.tar, *.gzip, *.jpg, *.jpeg, *.psd, *.cdr, *.dwg, *.max, *.bmp, *.gif, *.png, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.txt, *.pdf, *.djvu, *.htm, *.html, *.mdb, *.cer, *.p12, *.pfx, *.kwm, *.pwm, *.1cd, *.md, *.mdf, *.dbf, *.odt, *.vob, *.ifo, *.lnk, *.torrent, *.mov, *.m2v, *.3gp, *.mpeg, *.mpg, *.flv, *.avi, *.mp4, *.wmv, *.divx, *.mkv, *.mp3, *.wav, *.flac, *.ape, *.wma, *.ac3 Source:BleepingComputer
The files are reported to be encrypted by using either XOR or TEA encryption algorithms, which is fortunate, because below we have posted a link to a decryptor that has been released by Kaspersky for the data.
After the data has been encrypted, the ransomware displays the following ransom message either as a text document or a wallpaper:
Besides those, there may be other features of the ransomware that you may see since it is very custom:
- Different icons for the malware executable.
- Different ransom note.
- Different files that are encrypted.
- When should it start.
- Whether to display a message in each folder or a pop-out message after encryption.
- Changing the wallpaper to a custom one.
Furthermore, here is a variant of this ransomware that has been customized by some third-party who probably purchased it on the black market:
The bottom line is that this ransomware is no joke, and it encrypts your files to extort you to pay money via SMS, bitcoin or other method and make cyber-crooks rich while causing you additional headaches. The good news is that you can counter that for free.
Remove Xorist Ransomware and Restore the Encrypted Data
First, it is important to delete the cyber-threat. To remove it, you should follow the step-by-step instructions bellow for maximum effectiveness. Besides that, we strongly advise you to be cautious when removing the ransomware and backing up your encrypted files if the system crashes.
Regarding file restoration, fortunately, Kaspersky and Emsisoft have developed free decryptions, and you might just be able to restore your files. To do that download the decryptors Step 4. Restore files encrypted by Xorist Ransomware below and use them.