Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


TeamXrat Virus (Xpan) – Remove and Decrypt .___xratteamLucked Files

stf-xpan-ransomware-teamxrat-xrat-brazillian-virus-ransom-note

A new ransomware virus spreads through the Remote Desktop Protocol (RDP) found on many computer systems. Its real name is Xpan, but many victims and some researchers refer to it as TeamXRat ransomware. The name TeamXRat comes from the cybercriminals who developed the ransomware and left their name in the ransom note as signature. The extension .___xratteamLucked is appended to files which get encrypted.

The ransomware originates from Brazil, but residents of other countries may get infected as well. To remove the virus and see how you can decrypt your files, read this article carefully.

Threat Summary

Name TeamXrat
Type Ransomware, Cryptovirus
Short Description The ransomware distributes by exploiting weak passwords in the Remote Desktop Protocol (RDP). From there is loads the Xpan Trojan horse and infects the files on a compromised PC.
Symptoms The virus will append the .___xratteamLucked extension to the files, which it encrypts.
Distribution Method Targeted Attacks, Remote Desktop Protocol (RDP)
Detection Tool See If Your System Has Been Affected by TeamXrat

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss TeamXrat.

TeamXRat Virus – Infection

The TeamXRat virus is unique in the way it infects compared to other ransomware viruses. It utilizes targeted attacks, by brutе forcing servers via the Remote Desktop Protocol (RDP). The Windows Operating System has a Remote Desktop Connection implemented in it and it may be turned on by default. Other operating systems also have an equivalent program running the same protocol, which makes it viable for a hacker attack. Once a weak password is cracked with the brute-forcing method, it is immediately exploited. The Xpan ransomware Trojan is being installed after the hackers manually set off the Anti-virus software found on the server they have entered.

However, it is not excluded for the TeamXRat virus to be spread in other ways. Some of these ways include malicious spam e-mail campaigns or using networks like social media or file-sharing services. On there a malicious file containing the payload of the malware could be placed. If you interact with it, especially by executing it, your whole computer machine will get encrypted. Before opening files with an unknown origin, perform checks on them for their signatures, size, and also scan them with a security tool. You should see more tips for ransomware prevention in our forum thread.

TeamXRat Virus – Information

The Xpan Trojan virus is what many people have dubbed TeamXRat. That is largely due to the fact that this ransomware had the signature TeamXRat in its ransom note and on the wallpaper it sets after file encryption. The ransomware is developed by the Brazilian criminals identifying themselves as TeamXRat or CorporacaoXRat (CorporationXRat). Although the virus originates from Brazil and most compromised computers are in Brazil, people from other countries have also fallen victim to this cyber threat.

The cybercriminals TeamXRat have developed other ransomware before, which is known as the Xrat ransomware (Xorist). They have improved their newest ransomware with a stronger encryption algorithm.

The ransomware uses creates the following sub-key in the Windows Registry:

→HKEY_CLASSES_ROOT\.____xratteamLucked

After that the following Registry entries are created in the above mentioned sub-key:

→HKEY_CLASSES_ROOT\.____xratteamLucked\”Default” = “Criptografado!!”

→HKEY_CLASSES_ROOT\.____xratteamLucked\DefaultIcon\”Default” = “%SystemDrive%\System32\shell32.dll,47”

→HKEY_CLASSES_ROOT\.____xratteamLucked\shell\open\command\”Default” = “[DOS SCRIPT]”

From the registry entries above, a script will be initiated to start from a .DLL file. On top of it all, the following processes (marked with .exe) and services will be stopped by the ransomware:

  • fb_inet_server.exe
  • pg_ctl.exe
  • sqlservr.exe
  • postgresql-9.0
  • FirebirdServerDefaultInstance
  • SSQL$SQLEXPRESS
  • MSSQLSERVER

In the end, the following file with the payment instructions is created:

→[PATH OF ENCRYPTED FILES]\Como descriptografar os seus arquivos.txt

The file is written in Brazillian Portuguese and looks like this:

stf-xpan-ransomware-teamxrat-xrat-brazillian-virus-ransom-message-instructions

Another change you might notice is that your desktop wallpaper will be changed with this picture:

stf-xpan-ransomware-teamxrat-xrat-brazillian-virus-ransom-note

They write about the encryption algorithm which is used, demand one Bitcoin for payment and the e-mail addess xRatTeam@mail2tor.com is given for you to contact the cyber crooks.

Do not even think of paying the malware makers as nobody can guarantee you will get your files back after successful payment. The money will undeniably be used for financially supporting further criminal activity, like the development of a new ransomware or even worse.

All encrypted files will have the extension .___xratteamLucked or .____xratteamLucked appended to them. The ransomware uses a 255 character password and the RSA 2048-bit encryption algorithm with 256-bit AES ciphers to encrypt files. Usually we list the file types, which are encrypted by such a cryptovirus, but this time you can see the file types which are not encrypted, because they are added into an exception list:

→.exe .dll .lnk .bat .ini .msi .scf

Here is a full list containing all file paths that are excluded from encryption:

File Path Strings Exlusions List

The TeamXRat ransomware is very likely to delete the Shadow Volume Copies found on your Windows operating system. After encryption the ransomware deletes some of the files it originates from, including the payload file. Continue reading and down below you will see how to remove the virus completely and what you can try to decrypt your files.

Remove TeamXRat Virus and Restore .___xratteamLucked Files

If your computer got infected with the TeamXRat ransomware cryptovirus, you should have some experience in removing malware. You should get rid of this ransomware as quick as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions manual given below. Check out ways in which you can try to recover your files by seeing the step titled 2. Restore files encrypted by TeamXRat or wait to see if there is an official decrypter released.

Manually delete TeamXrat from your computer

Note! Substantial notification about the TeamXrat threat: Manual removal of TeamXrat requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove TeamXrat files and objects
2.Find malicious files created by TeamXrat on your PC

Automatically remove TeamXrat by downloading an advanced anti-malware program

1. Remove TeamXrat with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by TeamXrat
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.