Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove XRTN Ransomware from Your Machine

Ransomware is restless, and so are the malicious actors behind it who are currently infecting millions of users. At the end of 2015, we are seeing new versions of encrypting families that have been active in the past. XRTN ransomware fits the description of a resurrected ransomware case, as it is identified to be close to the VaultCrypt family.

NameXRTN Ransomware
TypeRansomware
Short DescriptionA member of VaultCrypt’s ransomware family.
SymptomsThe .XRTN extendion is appended to the victim’s files, uses RSA-1024 encryption algorithm.
Distribution MethodVia email attachments.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by XRTN Ransomware
User ExperienceJoin our forum to follow the discussion about XRTN Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

rp_p4_0000-150x150.jpgVaultCrypt attacks were first detected in March 2015. What made VaultCrypt stand out among other ransomware was its file encryption technique based on the use of Windows batch files and GnuPG privacy software. Back then, experts reported that the English version of the ransomware was not quite finished yet, but English instructions were already visible on the payment website.

Learn How to Remove VaultCrypt

What is specific about XRTN ransomware?

XRTN ransomware was first reported by Lawrence Abrams at Bleeping Computer. It uses RSA-1024 encryption in combination with the open source Gnu Privacy Guard (GnuPG) encryptipn. Once infected, the victim will be shown a HTA document with instructions when Windows starts. The document also contains an email address to contact the cyber criminals – [email protected](.)ru. Unfortunately, at this point recovering the decryption key is not possible.

XRTN Ransomware Technical Details

XRTN ransomware has been created with many tools and batch files. It is installed on the system via a JavaScript file that downloads other files from gusang(.)vpscoke.com. Then, the JavaScript installer downloads the files, launches the document and executes the batch file. Researchers believe that the JavaScript file is distributed via emails in attachments, masked as a Word document.

Once the batch file is executed, the RSA-1024 key is generated. As a result, all the drive letters are scanned. The matches that fit the targeted extensions are then encrypted and an .xrtn extension is appended to them.

Here is a list of the file extensions this particular ransomware wants:

.xls, *.doc, *.xlsx, *.docx, *.pdf, *.rtf, *.cdr, *.psd, *.dwg, *.cd, *.mdb, *.1cd, *.dbf, *.sqlite, *.jpg, *.zip

Are the Shadow Volume Copies Affected?

Unfortunately, as most advanced ransomware, XRTN makes sure to delete the shadow volume copies. Thus, if the user doesn’t have a clean backup of his data, he is deprived of any chance to recover his data. The shadow volume copies are deleted when a VBS script is executed. It contains a WMIC command that removes the shadow copies.

The XRTN.key Explained

While the encryption process is taking place, the batch file exports the private key needed to encrypt the victim’s data to a file dubbed XRTN.key. The XRTN.key file is then encrypted with a master public key that is located in the batch file.

In addition, the XRTN.key file contains personal information such as:

  • The user’s username
  • The computer’s name
  • Date
  • Amount of encrypted files
  • Configuration settings
  • The number of each type of encrypted extension

Can files encrypted by XRTN ransomware be decrypted?

Unfortunately, the ransomware’s encryption cannot be beaten without the help of the private key owned exclusively by the ransomware’s author. Because the Shadow Volume Copies are also deleted, the only possible way to restore the affected data is by using a clean backup.

In order to remove all leftovers of XRTN ransomware, run an anti-malware program. You can refer to the steps below the article.

You can also refer to our forum where you can start a topic and receive help.

1. Boot Your PC In Safe Mode to isolate and remove XRTN Ransomware
2. Remove XRTN Ransomware with SpyHunter Anti-Malware Tool
3. Remove XRTN Ransomware with Malwarebytes Anti-Malware.
4. Remove XRTN Ransomware with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by XRTN Ransomware in the future
NOTE! Substantial notification about the XRTN Ransomware threat: Manual removal of XRTN Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.