Remove XRTN Ransomware and Get Rid of .xrtn File Extension - How to, Technology and PC Security Forum |

Remove XRTN Ransomware and Get Rid of .xrtn File Extension

XRTN is a ransomware virus reported by researchers to belong to the VaultCrypt family of ransomware viruses. It uses the same .xrtn file extension which it adds on the encrypted files after it has successfully encrypted them via the RSA-1024 encryption algorithm. In addition to this algorithm, the ransomware uses other mechanisms which sophisticate the brute force decryption, making it even more impossible. Despite the fact that the creators of XRTN ransomware do not say what amount is requested as a payoff to decrypt the files, users believe it is in the range of 1 – 5 BitCoins. It is strongly advisable not to pay any ransom money to the cyber-criminals because there is no full guarantee the files will be restored and you help their cyber-crime syndicate further spread this ransomware virus. We recommend removing the ransomware and attempting to restore your files using alternative file-restoration methods such as the ones in this article.

Threat Summary

Short DescriptionThe ransomware encrypts files with the RSA 1024 cipher and asks to contact cyber-criminals for decryption.
SymptomsFiles are encrypted and become inaccessible with a .xrtn extension added. A ransom note with instructions is added as a wallpaper asking to contact [email protected] e-mail.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by XRTN


Malware Removal Tool

User ExperienceJoin our forum to Discuss XRTN Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

XRTN Ransomware – Distribution Ways

To infect users globally, XRTN Ransomware uses a malicious.JS (JavaScript) file disguised as a Word document and featured in spam e-mail messages. Once the user opens the document, the script may connect to the following remote host:

From this host, a malicious file, that may carry the name “GnuPG.exe” may be downloaded onto the victim’s computer. The file may contain the so-called obfuscators to make it run while being concealed from standard antivirus programs.

How Does XRTN Ransomware Work

After the malicious executable has been dropped, the following files are reported by malware researchers to be created on the infected device’s %Temp% folder:

  • 3cnq8256w5rxxavz.hta
  • 4077430c_xrtn.KEY
  • Do_88u.docx
  • dsfsdghd.bat
  • ez3x7je8.cmd
  • xrtn.KEY
  • xrtn.txt

Source: Infected Users

In addition to those, files XRTN is reported to be associated with other malicious files in the %AppData% directory:


XRTN Crypto-virus is also reported to create a “Run” type of registry entries – something rather typical for such a virus. The key aims to run an .hta type of file when Windows starts, pointing out to this file being the same encryptor used with VaultCrypt ransomware:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\onuntsss mshta %AppData%\3cnq8256w5rxxavz.hta

Most of the files created by XRTN ransomware contain alpha numerical identifications, suggesting their filenames may be automatically generated with each infection.

Once stealthily activated on the computer, XRTN begins to look for the following types of documents, photos and others to encrypt them:

.xls, .doc, .xlsx, .docx, .pdf, .rtf, .cdr, .psd, .dwg, .cd, .mdb, .1cd, .dbf, .sqlite, .jpg, .zip Source:Bleeping Computer

The encrypted files are appended the .xrtn file extension, for example:


Regarding encryption, XRTN Ransom virus uses a very strong RSA-1024 encryption algorithm. Also, it uses the so-called GNU Privacy Guard which as its exit code. Finally after encryption, the XRTN.key file containing the decryption information is created either in %TEMP% or %APPDATA% folders.

The ransomware changes the wallpaper of the user with ransom payoff instructions, which are the following:

All important files and information on this computer(documents, databases, etc.) will be decrypted using a RSA cryptographic algorithm
Without special software decoding a single file with the help of the most powerful computers will take about a 20 years.
contact an expert on email: [email protected]

Remove XRTN Ransomware and Try to Revert The Files

XRTN Ransomware is most likely believed to be a virus which is “assembled” from other ransom-demanding cyber threats, like VaultCrypt. So far direct decryption of its files is impossible, but we will update this article as soon as one is released. Until then DO NOT pay the ransom and try to use alternative methods to restore your files, like the suggestions in step “3. Restore files encrypted by XRTN” below after removing the ransomware. For the removal of XRTN, it is also recommended to use an advanced anti-malware program, because the XRTN virus may create randomly named files in different Windows directories and an automatic approach may be more appropriate.

Manually delete XRTN from your computer

Note! Substantial notification about the XRTN threat: Manual removal of XRTN requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove XRTN files and objects
2.Find malicious files created by XRTN on your PC
3.Fix registry entries created by XRTN on your PC

Automatically remove XRTN by downloading an advanced anti-malware program

1. Remove XRTN with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by XRTN in the future
3. Restore files encrypted by XRTN
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.