Remove Ransomware and Restore .xort Encrypted Files - How to, Technology and PC Security Forum |

Remove [email protected] Ransomware and Restore .xort Encrypted Files

shutterstock_271501652A new ransomware has been reported to extort users by encrypting their data with a strong encryption algorithm. It leaves an email address of the cybercriminals after it encrypts the user files leaving them unable to be opened. On top of that, the ransomware uses a custom .xort file extension which it leaves after it encrypts a file. All users who have been infected are strongly advised not to pay the ransom money for the decryption of their data and instead look for alternative file restoration methods, like the ones posted after this article.

Short DescriptionScans for and encrypts user files after which ask the user to pay ransom for the decryption
SymptomsThe user may witness his files to become without an icon and have the .xort file extension.
Distribution MethodVia a Trojan.Downloader spread online via different methods. (email, social networks, etc.)
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Xort
User Experience Join our forum to discuss Xort.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Xort Ransomware – Distribution

This crypto-malware is most likely spread via a Trojan.Downloader (MSIL). Example for such malware is the Winpud Trojan. These cyber-threats spread via spam emails or web links featured in spam messages online. The most common used topics on spam messages are on a financial topic because it is the most opened one by users. Email subjects such as “Your Receipt”, “Confirm Transaction” and so on are just a small part of the spam emails distributing the payload of the Trojan. Once on the computer, the malware activates, gets system information, such as:

  • The OS of the user.
  • The spyware and malware protection software.
  • Other system and regional info.

Once activated, it may also open a port and connect to a remote IP address which is the server hosting Xort Ransomware. From there, it may download via the unsecured port the ransomware and activate it.

Xort Ransomware In Detail

Once activated the ransomware drops its payload. The payload of the ransomware may contain files of the following types:

.dll, .exe, .tmp, .vbs

The files are basically the different modules of this crypto-malware, and every module may be responsible for different activity, for example encrypting data, creating registry entries, etc. The names of the files may be several types:

  • Names that are completely random, for example 210h109d2190210d.exe
  • Names that resemble a legitimate program, for example, notepad.exe
  • Names that contain a mistake made on purpose, for example, pec-man.exe
  • Only numerical names, for example, 1111111.exe

One of the modules of the ransomware may be the module which scans for and encrypts data. Xort ransomware may set a registry entry to run the malicious executable in the following key:


After this another module of the ransomware may execute the following administrative command via a script to restart the infected computer and hence run the malicious .exe on system startup:

shutdown /r /c “{A reason for PC rebooting}”

After the computer has rebooted and while Windows is starting the ransomware’s executable may activate and scan for files with the most common used file extensions.

The files are then encrypted with the .xort file extension, for example:


When opening the files on Windows, the user may see this prompt:

mp3-player-sensorstechforum-files-.mp3-file extension

Furthermore, the ransomware may also leave files that are its ransom message. The ransom message may state instructions similar to the ones below:

“Your files are encrypted by e file-encoder virus!
To restore your files, please contact [email protected] for further instructions. You have seven weeks to contact us or else we will make the decryption of your files impossible by deleting the decryption key.”

Malware researchers strongly advise against communicating with the cyber criminals to restore your files. This is because they may cheat you and not restore your data and furthermore you fund their criminal operation to develop and spread the crypto-malware.

Remove Xort Ransomware and Restore .xort Encrypted Files

Since this ransomware may have already deleted itself on your computer, all that may be left for you to do Is to scan it for other malware such as the Trojan which may have downloaded it.

After your PC is clean, you can proceed to follow the methods below to try and restore your .xort files. There are several methods we have suggested that may help your situation partially. Make sure you do not reinstall your OS since you may lose any hope of restoring the data.

1. Boot Your PC In Safe Mode to isolate and remove Xort
2. Remove Xort with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Xort in the future
4. Restore files encrypted by Xort
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the Xort threat: Manual removal of Xort requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.