Ransomware is restless, and so are the malicious actors behind it who are currently infecting millions of users. At the end of 2015, we are seeing new versions of encrypting families that have been active in the past. XRTN ransomware fits the description of a resurrected ransomware case, as it is identified to be close to the VaultCrypt family.
|Short Description||A member of VaultCrypt’s ransomware family.|
|Symptoms||The .XRTN extendion is appended to the victim’s files, uses RSA-1024 encryption algorithm.|
|Distribution Method||Via email attachments.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by XRTN Ransomware|
|User Experience||Join our forum to discuss XRTN Ransomware.|
VaultCrypt attacks were first detected in March 2015. What made VaultCrypt stand out among other ransomware was its file encryption technique based on the use of Windows batch files and GnuPG privacy software. Back then, experts reported that the English version of the ransomware was not quite finished yet, but English instructions were already visible on the payment website.
Learn How to Remove VaultCrypt
What is specific about XRTN ransomware?
XRTN ransomware was first reported by Lawrence Abrams at Bleeping Computer. It uses RSA-1024 encryption in combination with the open source Gnu Privacy Guard (GnuPG) encryptipn. Once infected, the victim will be shown a HTA document with instructions when Windows starts. The document also contains an email address to contact the cyber criminals – xrtnhelp@yande(.)ru. Unfortunately, at this point recovering the decryption key is not possible.
XRTN Ransomware Technical Details
Once the batch file is executed, the RSA-1024 key is generated. As a result, all the drive letters are scanned. The matches that fit the targeted extensions are then encrypted and an .xrtn extension is appended to them.
Here is a list of the file extensions this particular ransomware wants:
.xls, *.doc, *.xlsx, *.docx, *.pdf, *.rtf, *.cdr, *.psd, *.dwg, *.cd, *.mdb, *.1cd, *.dbf, *.sqlite, *.jpg, *.zip
Are the Shadow Volume Copies Affected?
Unfortunately, as most advanced ransomware, XRTN makes sure to delete the shadow volume copies. Thus, if the user doesn’t have a clean backup of his data, he is deprived of any chance to recover his data. The shadow volume copies are deleted when a VBS script is executed. It contains a WMIC command that removes the shadow copies.
The XRTN.key Explained
While the encryption process is taking place, the batch file exports the private key needed to encrypt the victim’s data to a file dubbed XRTN.key. The XRTN.key file is then encrypted with a master public key that is located in the batch file.
In addition, the XRTN.key file contains personal information such as:
- The user’s username
- The computer’s name
- Amount of encrypted files
- Configuration settings
- The number of each type of encrypted extension
Can files encrypted by XRTN ransomware be decrypted?
Unfortunately, the ransomware’s encryption cannot be beaten without the help of the private key owned exclusively by the ransomware’s author. Because the Shadow Volume Copies are also deleted, the only possible way to restore the affected data is by using a clean backup.
In order to remove all leftovers of XRTN ransomware, run an anti-malware program. You can refer to the steps below the article.
You can also refer to our forum where you can start a topic and receive help.