The Xorist ransomware family has been known to security researchers for a while now. A new variant of this family has just emerged and it has been identified as Team XRat, or just XRat. For now, the crypto virus specifically targets Portuguese speaking victims, encrypting their files and appending a .[email protected]@0Xr@ to them. As for the ransom note, research indicates that it’s called “Como descriptografar seus arquivos.txt“.
|Name||XRat, Team XRat|
|Short Description||The ransomware encrypts all important files and displays a ransom note.|
|Symptoms||The ransomware will encrypt files with and put the .[email protected]@0Xr@ extension to each encrypted file.|
|Distribution Method||Spam Emails, File Sharing Networks, .Exe Files|
See If Your System Has Been Affected by XRat, Team XRat
Malware Removal Tool
|User Experience||Join Our Forum to Discuss XRat, Team XRat.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
XRat Ransomware Distribution Methods
To infect users, this ransomware may spread via several different methods, such as:
- Via malicious executables, like Windows activators, game key generators, and others, pretending to be virus-free applications.
- Via infected USB drives or other external drives.
Technical Overview of Team XRat Xorist Ransomware
Like we already said, the ransomware will encrypt the user’s files and will add a .[email protected]@0Xr@ extension. The victim’s wallpaper will also be changed to a picture of Anonymous. The picture contains instructions telling the victim to send an email to [email protected] for further payment instructions.
The XRat Xorist ransomware may modify the registry entries of the victim’s computer, so that the malicious executables run every time Windows starts. This can happen by adding values and data in the following subkey:
After this is done and the victim’s PC is rebooted, the ransomware begins to scan for the files to encrypt. Previous Xorist variants are known to target the following files for encryption:
The files are most likely encrypted by using either XOR or TEA encryption algorithms, which is fortunate, because a decryption method has already been outlined by security experts. See below.
After all data has been encrypted, the ransomware displays the ransom message either as a wallpaper. The message is titled “Como descriptografar seus arquivos.txt“.
How to Remove XRat Ransomware and Restore the .[email protected]@0Xr@ Encrypted Files
The very first thing to do is remove the ransomware from the system. The easiest way to do so is by using an automatic anti-malware program. To remove XRat, you should follow the step-by-step instructions bellow the article. In addition, we strongly advise you to be cautious while removing the ransomware and back up your encrypted files in case the system crashes.
Regarding file restoration, there is a special decrypter for this ransomware developed by Emsisoft – Emsisoft Xorist Decrypter.
Manually delete XRat, Team XRat from your computer
Note! Substantial notification about the XRat, Team XRat threat: Manual removal of XRat, Team XRat requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.