Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Xorist Ransomware Variants and Restore Your Encrypted Files

The malware family that produces custom made ransomware, known as Xorist has been around for quite some time now. It is being sold as a custom program that is available on the black market, and anyone who knows how to look for it can buy it online. The ransomware includes custom decryptor and other features such as setting which file extensions to look for and others. Users who have been affected by this threat should immediately use the instructions below to remove it and restore their files.

Name Xorist
Type Ransomware
Short Description Encrypts user files adding a custom file extension, for example New Text Document.txt.73i80A and extorting for money in return for file decryption.
Symptoms The user may witness his files being encoded along with a ransom message.
Distribution Method Via malicious URLs or file attachments.
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by Xorist
User Experience Join our forum to discuss Xorist.

Xorist Ransomware – How Is It Spread

To infect users, cyber-criminals who purchased this ransomware may spam it all over the web. Most cyber-crooks prefer methods that are not publicly visible, such as uploading an exploit kit in a malicious URL that will infect your computer with Xorist via downloading it and starting it on your PC. The malicious links may be distributed in online chat platforms or email spam such as the example below:

malicious-email-spam-links-sensorstechforum

Users who see such links should immediately take actions to implement spam filtering and educate themselves always to check unknown web links or attached documents in websites, like VirusTotal.

Xorist Ransomware In Detail

After it has been created, and activated on your computer, the ransomware may drop its payload modules that scan for and encrypt your files in one of the following Windows folders:

commonly used file names and folders

After this is done, Xorist may modify the registry entries of your computer, to make the malicious executable(s) run every time Windows starts. This can happen by adding values and data in the following subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

After this is done and your PC is rebooted, the ransomware begins to scan for the following files and encrypt them:

→ *.zip, *.rar, *.7z, *.tar, *.gzip, *.jpg, *.jpeg, *.psd, *.cdr, *.dwg, *.max, *.bmp, *.gif, *.png, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.txt, *.pdf, *.djvu, *.htm, *.html, *.mdb, *.cer, *.p12, *.pfx, *.kwm, *.pwm, *.1cd, *.md, *.mdf, *.dbf, *.odt, *.vob, *.ifo, *.lnk, *.torrent, *.mov, *.m2v, *.3gp, *.mpeg, *.mpg, *.flv, *.avi, *.mp4, *.wmv, *.divx, *.mkv, *.mp3, *.wav, *.flac, *.ape, *.wma, *.ac3 Source:BleepingComputer

The files are reported to be encrypted by using either XOR or TEA encryption algorithms, which is fortunate, because below we have posted a link to a decryptor that has been released by Kaspersky for the data.

After the data has been encrypted, the ransomware displays the following ransom message either as a text document or a wallpaper:

Xorist-Ransomware-ransom-note-sensorstechforum

Besides those, there may be other features of the ransomware that you may see since it is very custom:

  • Different icons for the malware executable.
  • Different ransom note.
  • Different files that are encrypted.
  • When should it start.
  • Whether to display a message in each folder or a pop-out message after encryption.
  • Changing the wallpaper to a custom one.

Furthermore, here is a variant of this ransomware that has been customized by some third-party who probably purchased it on the black market:

Remove 73i87a Ransomware and Restore Encrypted Files

The bottom line is that this ransomware is no joke, and it encrypts your files to extort you to pay money via SMS, bitcoin or other method and make cyber-crooks rich while causing you additional headaches. The good news is that you can counter that for free.

Remove Xorist Ransomware and Restore the Encrypted Data

First, it is important to delete the cyber-threat. To remove it, you should follow the step-by-step instructions bellow for maximum effectiveness. Besides that, we strongly advise you to be cautious when removing the ransomware and backing up your encrypted files if the system crashes.

Regarding file restoration, fortunately, Kaspersky and Emsisoft have developed free decryptions, and you might just be able to restore your files. To do that download the decryptors Step 4. Restore files encrypted by Xorist Ransomware below and use them.

1. Boot Your PC In Safe Mode to isolate and remove Xorist
2. Remove Xorist with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Xorist in the future
4. Restore files encrypted by Xorist
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the Xorist threat: Manual removal of Xorist requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.