Remove Xrat Ransomware (Xorist). Restore .C0rp0r@c@0Xr@ Files - How to, Technology and PC Security Forum |

Remove Xrat Ransomware (Xorist). Restore [email protected]@[email protected] Files

The Xorist ransomware family has been known to security researchers for a while now. A new variant of this family has just emerged and it has been identified as Team XRat, or just XRat. For now, the crypto virus specifically targets Portuguese speaking victims, encrypting their files and appending a [email protected]@[email protected] to them. As for the ransom note, research indicates that it’s called “Como descriptografar seus arquivos.txt“.

Threat Summary

NameXRat, Team XRat
Short DescriptionThe ransomware encrypts all important files and displays a ransom note.
SymptomsThe ransomware will encrypt files with and put the [email protected]@[email protected] extension to each encrypted file.
Distribution MethodSpam Emails, File Sharing Networks, .Exe Files
Detection Tool See If Your System Has Been Affected by XRat, Team XRat


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss XRat, Team XRat.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

XRat Ransomware Distribution Methods

To infect users, this ransomware may spread via several different methods, such as:

  • Through malicious URLs, sent out in spam campaigns, that cause drive-by-downloads or the execution of .js(JavaScript) files.
  • Via malicious executables, like Windows activators, game key generators, and others, pretending to be virus-free applications.
  • Via infected USB drives or other external drives.

Technical Overview of Team XRat Xorist Ransomware

Like we already said, the ransomware will encrypt the user’s files and will add a [email protected]@[email protected] extension. The victim’s wallpaper will also be changed to a picture of Anonymous. The picture contains instructions telling the victim to send an email to [email protected] for further payment instructions.

The XRat Xorist ransomware may modify the registry entries of the victim’s computer, so that the malicious executables run every time Windows starts. This can happen by adding values and data in the following subkey:


After this is done and the victim’s PC is rebooted, the ransomware begins to scan for the files to encrypt. Previous Xorist variants are known to target the following files for encryption:

*.zip, *.rar, *.7z, *.tar, *.gzip, *.jpg, *.jpeg, *.psd, *.cdr, *.dwg, *.max, *.bmp, *.gif, *.png, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.txt, *.pdf, *.djvu, *.htm, *.html, *.mdb, *.cer, *.p12, *.pfx, *.kwm, *.pwm, *.1cd, *.md, *.mdf, *.dbf, *.odt, *.vob, *.ifo, *.lnk, *.torrent, *.mov, *.m2v, *.3gp, *.mpeg, *.mpg, *.flv, *.avi, *.mp4, *.wmv, *.divx, *.mkv, *.mp3, *.wav, *.flac, *.ape, *.wma, *.ac3

The files are most likely encrypted by using either XOR or TEA encryption algorithms, which is fortunate, because a decryption method has already been outlined by security experts. See below.

After all data has been encrypted, the ransomware displays the ransom message either as a wallpaper. The message is titled “Como descriptografar seus arquivos.txt“.

How to Remove XRat Ransomware and Restore the [email protected]@[email protected] Encrypted Files

The very first thing to do is remove the ransomware from the system. The easiest way to do so is by using an automatic anti-malware program. To remove XRat, you should follow the step-by-step instructions bellow the article. In addition, we strongly advise you to be cautious while removing the ransomware and back up your encrypted files in case the system crashes.

Regarding file restoration, there is a special decrypter for this ransomware developed by Emsisoft – Emsisoft Xorist Decrypter.

Manually delete XRat, Team XRat from your computer

Note! Substantial notification about the XRat, Team XRat threat: Manual removal of XRat, Team XRat requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove XRat, Team XRat files and objects.
2. Find malicious files created by XRat, Team XRat on your PC.
3. Fix registry entries created by XRat, Team XRat on your PC.

Automatically remove XRat, Team XRat by downloading an advanced anti-malware program

1. Remove XRat, Team XRat with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by XRat, Team XRat in the future
3. Restore files encrypted by XRat, Team XRat
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.