Remove XRTN Ransomware and Get Rid of .xrtn File Extension - How to, Technology and PC Security Forum |

Remove XRTN Ransomware and Get Rid of .xrtn File Extension

XRTN is a ransomware virus reported by researchers to belong to the VaultCrypt family of ransomware viruses. It uses the same .xrtn file extension which it adds on the encrypted files after it has successfully encrypted them via the RSA-1024 encryption algorithm. In addition to this algorithm, the ransomware uses other mechanisms which sophisticate the brute force decryption, making it even more impossible. Despite the fact that the creators of XRTN ransomware do not say what amount is requested as a payoff to decrypt the files, users believe it is in the range of 1 – 5 BitCoins. It is strongly advisable not to pay any ransom money to the cyber-criminals because there is no full guarantee the files will be restored and you help their cyber-crime syndicate further spread this ransomware virus. We recommend removing the ransomware and attempting to restore your files using alternative file-restoration methods such as the ones in this article.

Threat Summary

Short DescriptionThe ransomware encrypts files with the RSA 1024 cipher and asks to contact cyber-criminals for decryption.
SymptomsFiles are encrypted and become inaccessible with a .xrtn extension added. A ransom note with instructions is added as a wallpaper asking to contact e-mail.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by XRTN


Malware Removal Tool

User ExperienceJoin our forum to Discuss XRTN Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

XRTN Ransomware – Distribution Ways

To infect users globally, XRTN Ransomware uses a malicious.JS (JavaScript) file disguised as a Word document and featured in spam e-mail messages. Once the user opens the document, the script may connect to the following remote host:

From this host, a malicious file, that may carry the name “GnuPG.exe” may be downloaded onto the victim’s computer. The file may contain the so-called obfuscators to make it run while being concealed from standard antivirus programs.

How Does XRTN Ransomware Work

After the malicious executable has been dropped, the following files are reported by malware researchers to be created on the infected device’s %Temp% folder:

  • 3cnq8256w5rxxavz.hta
  • 4077430c_xrtn.KEY
  • Do_88u.docx
  • dsfsdghd.bat
  • ez3x7je8.cmd
  • xrtn.KEY
  • xrtn.txt

Source: Infected Users

In addition to those, files XRTN is reported to be associated with other malicious files in the %AppData% directory:


XRTN Crypto-virus is also reported to create a “Run” type of registry entries – something rather typical for such a virus. The key aims to run an .hta type of file when Windows starts, pointing out to this file being the same encryptor used with VaultCrypt ransomware:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\onuntsss mshta %AppData%\3cnq8256w5rxxavz.hta

Most of the files created by XRTN ransomware contain alpha numerical identifications, suggesting their filenames may be automatically generated with each infection.

Once stealthily activated on the computer, XRTN begins to look for the following types of documents, photos and others to encrypt them:

.xls, .doc, .xlsx, .docx, .pdf, .rtf, .cdr, .psd, .dwg, .cd, .mdb, .1cd, .dbf, .sqlite, .jpg, .zip Source:Bleeping Computer

The encrypted files are appended the .xrtn file extension, for example:


Regarding encryption, XRTN Ransom virus uses a very strong RSA-1024 encryption algorithm. Also, it uses the so-called GNU Privacy Guard which as its exit code. Finally after encryption, the XRTN.key file containing the decryption information is created either in %TEMP% or %APPDATA% folders.

The ransomware changes the wallpaper of the user with ransom payoff instructions, which are the following:

All important files and information on this computer(documents, databases, etc.) will be decrypted using a RSA cryptographic algorithm
Without special software decoding a single file with the help of the most powerful computers will take about a 20 years.
contact an expert on email:

Remove XRTN Ransomware and Try to Revert The Files

XRTN Ransomware is most likely believed to be a virus which is “assembled” from other ransom-demanding cyber threats, like VaultCrypt. So far direct decryption of its files is impossible, but we will update this article as soon as one is released. Until then DO NOT pay the ransom and try to use alternative methods to restore your files, like the suggestions in step “3. Restore files encrypted by XRTN” below after removing the ransomware. For the removal of XRTN, it is also recommended to use an advanced anti-malware program, because the XRTN virus may create randomly named files in different Windows directories and an automatic approach may be more appropriate.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share