Remove Xrat Ransomware (Xorist). Restore .C0rp0r@c@0Xr@ Files - How to, Technology and PC Security Forum |

Remove Xrat Ransomware (Xorist). Restore .C0rp0r@c@0Xr@ Files

The Xorist ransomware family has been known to security researchers for a while now. A new variant of this family has just emerged and it has been identified as Team XRat, or just XRat. For now, the crypto virus specifically targets Portuguese speaking victims, encrypting their files and appending a .C0rp0r@c@0Xr@ to them. As for the ransom note, research indicates that it’s called “Como descriptografar seus arquivos.txt“.

Threat Summary

NameXRat, Team XRat
Short DescriptionThe ransomware encrypts all important files and displays a ransom note.
SymptomsThe ransomware will encrypt files with and put the .C0rp0r@c@0Xr@ extension to each encrypted file.
Distribution MethodSpam Emails, File Sharing Networks, .Exe Files
Detection Tool See If Your System Has Been Affected by XRat, Team XRat


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss XRat, Team XRat.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

XRat Ransomware Distribution Methods

To infect users, this ransomware may spread via several different methods, such as:

  • Through malicious URLs, sent out in spam campaigns, that cause drive-by-downloads or the execution of .js(JavaScript) files.
  • Via malicious executables, like Windows activators, game key generators, and others, pretending to be virus-free applications.
  • Via infected USB drives or other external drives.

Technical Overview of Team XRat Xorist Ransomware

Like we already said, the ransomware will encrypt the user’s files and will add a .C0rp0r@c@0Xr@ extension. The victim’s wallpaper will also be changed to a picture of Anonymous. The picture contains instructions telling the victim to send an email to for further payment instructions.

The XRat Xorist ransomware may modify the registry entries of the victim’s computer, so that the malicious executables run every time Windows starts. This can happen by adding values and data in the following subkey:


After this is done and the victim’s PC is rebooted, the ransomware begins to scan for the files to encrypt. Previous Xorist variants are known to target the following files for encryption:

*.zip, *.rar, *.7z, *.tar, *.gzip, *.jpg, *.jpeg, *.psd, *.cdr, *.dwg, *.max, *.bmp, *.gif, *.png, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.txt, *.pdf, *.djvu, *.htm, *.html, *.mdb, *.cer, *.p12, *.pfx, *.kwm, *.pwm, *.1cd, *.md, *.mdf, *.dbf, *.odt, *.vob, *.ifo, *.lnk, *.torrent, *.mov, *.m2v, *.3gp, *.mpeg, *.mpg, *.flv, *.avi, *.mp4, *.wmv, *.divx, *.mkv, *.mp3, *.wav, *.flac, *.ape, *.wma, *.ac3

The files are most likely encrypted by using either XOR or TEA encryption algorithms, which is fortunate, because a decryption method has already been outlined by security experts. See below.

After all data has been encrypted, the ransomware displays the ransom message either as a wallpaper. The message is titled “Como descriptografar seus arquivos.txt“.

How to Remove XRat Ransomware and Restore the .C0rp0r@c@0Xr@ Encrypted Files

The very first thing to do is remove the ransomware from the system. The easiest way to do so is by using an automatic anti-malware program. To remove XRat, you should follow the step-by-step instructions bellow the article. In addition, we strongly advise you to be cautious while removing the ransomware and back up your encrypted files in case the system crashes.

Regarding file restoration, there is a special decrypter for this ransomware developed by Emsisoft – Emsisoft Xorist Decrypter.


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share