Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Remove Xrat Ransomware (Xorist). Restore .C0rp0r@c@0Xr@ Files

The Xorist ransomware family has been known to security researchers for a while now. A new variant of this family has just emerged and it has been identified as Team XRat, or just XRat. For now, the crypto virus specifically targets Portuguese speaking victims, encrypting their files and appending a .C0rp0r@c@0Xr@ to them. As for the ransom note, research indicates that it’s called “Como descriptografar seus arquivos.txt“.

Threat Summary

Name XRat, Team XRat
Type Ransomware
Short Description The ransomware encrypts all important files and displays a ransom note.
Symptoms The ransomware will encrypt files with and put the .C0rp0r@c@0Xr@ extension to each encrypted file.
Distribution Method Spam Emails, File Sharing Networks, .Exe Files
Detection Tool See If Your System Has Been Affected by XRat, Team XRat


Malware Removal Tool

User Experience Join Our Forum to Discuss XRat, Team XRat.

XRat Ransomware Distribution Methods

To infect users, this ransomware may spread via several different methods, such as:

  • Through malicious URLs, sent out in spam campaigns, that cause drive-by-downloads or the execution of .js(JavaScript) files.
  • Via malicious executables, like Windows activators, game key generators, and others, pretending to be virus-free applications.
  • Via infected USB drives or other external drives.

Technical Overview of Team XRat Xorist Ransomware

Like we already said, the ransomware will encrypt the user’s files and will add a .C0rp0r@c@0Xr@ extension. The victim’s wallpaper will also be changed to a picture of Anonymous. The picture contains instructions telling the victim to send an email to corporacaoxrat@protonmail.com for further payment instructions.

The XRat Xorist ransomware may modify the registry entries of the victim’s computer, so that the malicious executables run every time Windows starts. This can happen by adding values and data in the following subkey:


After this is done and the victim’s PC is rebooted, the ransomware begins to scan for the files to encrypt. Previous Xorist variants are known to target the following files for encryption:

*.zip, *.rar, *.7z, *.tar, *.gzip, *.jpg, *.jpeg, *.psd, *.cdr, *.dwg, *.max, *.bmp, *.gif, *.png, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.txt, *.pdf, *.djvu, *.htm, *.html, *.mdb, *.cer, *.p12, *.pfx, *.kwm, *.pwm, *.1cd, *.md, *.mdf, *.dbf, *.odt, *.vob, *.ifo, *.lnk, *.torrent, *.mov, *.m2v, *.3gp, *.mpeg, *.mpg, *.flv, *.avi, *.mp4, *.wmv, *.divx, *.mkv, *.mp3, *.wav, *.flac, *.ape, *.wma, *.ac3

The files are most likely encrypted by using either XOR or TEA encryption algorithms, which is fortunate, because a decryption method has already been outlined by security experts. See below.

After all data has been encrypted, the ransomware displays the ransom message either as a wallpaper. The message is titled “Como descriptografar seus arquivos.txt“.

How to Remove XRat Ransomware and Restore the .C0rp0r@c@0Xr@ Encrypted Files

The very first thing to do is remove the ransomware from the system. The easiest way to do so is by using an automatic anti-malware program. To remove XRat, you should follow the step-by-step instructions bellow the article. In addition, we strongly advise you to be cautious while removing the ransomware and back up your encrypted files in case the system crashes.

Regarding file restoration, there is a special decrypter for this ransomware developed by Emsisoft – Emsisoft Xorist Decrypter.

Manually delete XRat, Team XRat from your computer

Note! Substantial notification about the XRat, Team XRat threat: Manual removal of XRat, Team XRat requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove XRat, Team XRat files and objects.
2. Find malicious files created by XRat, Team XRat on your PC.
3. Fix registry entries created by XRat, Team XRat on your PC.

Automatically remove XRat, Team XRat by downloading an advanced anti-malware program

1. Remove XRat, Team XRat with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by XRat, Team XRat in the future
3. Restore files encrypted by XRat, Team XRat
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.